Hk07

A preliminary version of this paper appears in Advances in Cryptology – CRYPTO ’07, Lecture
Notes in Computer Science Vol. 4622, A. Menezes ed., Springer-Verlag, 2007. This is the full
version.
Secure Hybrid Encryption from Weakened Key Encapsulation
Dennis Hofheinz Eike Kiltz
CWI Amsterdam
The Netherlands
{hofheinz,kiltz}@cwi.nl
Abstract
We put forward a new paradigm for building hybrid encryption schemes from constrained
chosen-ciphertext secure (CCCA) key-encapsulation mechanisms (KEMs) plus authenticated
symmetric encryption. Constrained chosen-ciphertext security is a new security notion for
KEMs that we propose. CCCA has less demanding security requirements than standard
chosen-ciphertext (CCA) security (since it requires the adversary to have a certain plaintext-
knowledge when making a decapsulation query) yet we can prove that CCCA is sufficient
for secure hybrid encryption.
Our notion is not only useful to express the Kurosawa-Desmedt public-key encryption
scheme and its generalizations to hash-proof systems in an abstract KEM/DEM security
framework. It also has a very constructive appeal, which we demonstrate with a new en-
cryption scheme whose security relies on a class of intractability assumptions that we show (in
the generic group model) strictly weaker than the Decision Diffie-Hellman (DDH) assump-
tion. This appears to be the first practical public-key encryption scheme in the literature
from an algebraic assumption strictly weaker than DDH.
Keywords: Chosen-ciphertext security, weak security assumptions, hybrid encryption
1 Introduction
One of the main fields of interest in cryptography is the design and analysis of encryption
schemes in the public-key setting (PKE schemes) that are secure against a very strong type of
attacks — indistinguishability against chosen-ciphertext attacks (IND-CCA1) [30, 15]. In this
work, we are interested in practical schemes with proofs of security under reasonable security
assumptions (without relying on heuristics such as the random oracle model) and in general
methods for constructing such schemes.
The first practical IND-CCA secure PKE scheme without random oracles was proposed
in a seminal paper by Cramer and Shoup [12, 14]. Their construction was later generalized
to hash proof systems [13]. In [36, 14] Cramer and Shoup also give a hybrid variant that
encrypts messages of arbitrary length. The idea is to conceptually separate the key-encapsulation
(KEM) part from the symmetric (DEM) part. Generally, this hybrid approach greatly improved
1
In what follows IND-CCA always denotes the strong form of IND-CCA2 security.
1

practicality of encryption schemes. A folklore composition theorem (formalized in [14]) shows
that if both KEM and DEM are CCA-secure then the hybrid encryption is CCA-secure. Common
wisdom was that this sufficient condition was also necessary. However, at CRYPTO 2004,
Kurosawa and Desmedt challenged this common wisdom by presenting a hybrid encryption
scheme that demonstrates that a weaker security condition on the KEM may suffice for full
CCA-secure hybrid encryption. Compared to the original Cramer-Shoup scheme, the scheme by
Kurosawa and Desmedt improved efficiency and ciphertext expansion by replacing some of its
algebraic components with information theoretically secure symmetric primitives. More recently,
the KEM part of their scheme was indeed shown to be not CCA secure [18].
One natural open problem from [24] is if there exists a weaker yet natural security condition
on the KEM such that, in combination with sufficiently strong symmetric encryption, chosen-
ciphertext secure hybrid encryption can be guaranteed.
Extending the work of Cramer and Shoup [13], it was demonstrated in [24, 2, 17] that a
variant of hash-proof systems (HPS) can be combined with symmetric encryption and a message
authentication code (MAC) to obtain hybrid encryption. If the hash-proof system is universal2,
then the encryption scheme is chosen-ciphertext secure. However, the Kurosawa-Desmedt hybrid
scheme could not be rigorously explained in this general HPS framework since the underlying
hash-proof system is not universal2. (Roughly, this is since universal2 is a statistical property
whereas the Kurosawa-Desmedt system contains a computational component, namely a target
collision resistant (TCR) hash function.) In [24] (and [13]) only less efficient “hash-free variants”
of their schemes could be explained through hash proof systems; security of all efficient TCR-
based schemes had to be proved separately.
Surprisingly, almost all practical standard-model encryption schemes [12, 14, 24, 2, 11, 10,
22, 23] are based on the difficulty of Decision Diffie-Hellman (DDH) or stronger assumptions.
This is contrasted by the existence of many natural groups in which the DDH assumption is
known to be wrong; examples include pairing-groups and certain non prime-order groups like
Z∗
p. This often overlooked fact may turn into a serious problem in case DDH turns out to be
wrong in all cryptographically interesting groups. In particular, [19] give evidence that groups
with easy DDH problem, but hard computational Diffie-Hellman problem exist. [19] interpret
this as an argument to rely on weaker assumptions than DDH.
1.1 Our contributions
A new KEM/DEM composition theorem. We put forward the security notion of indis-
tinguishability against Constrained chosen-ciphertext attacks (IND-CCCA) for KEMs which is
stronger than IND-CPA (CPA stands for chosen-plaintext attacks) yet strictly weaker than IND-
CCA. Intuitively, CCCA is separated from CCA security by only allowing an adversary to make
a decapsulation query if it has sufficient “implicit knowledge” about the plaintext key to be
decapsulated (hence the name “Constrained chosen-ciphertext security”).2
As our main technical contribution we formalize the above notion and prove a composi-
tion theorem that shows that any IND-CCCA secure KEM combined with any authenticated
(symmetric) encryption scheme yields IND-CCA secure hybrid encryption. This gives a pos-
itive answer to the open question from [24] mentioned before. Authenticated encryption is a
quite general symmetric primitive and examples include “encrypt-then-mac” schemes (based on
computationally secure primitives), and also more efficient single-pass schemes (see, e.g., [31]).
2
This is reminiscent to the notion of “plaintext awareness” for public-key encryption [6] where it is infeasible
for an adversary to come up with a valid ciphertext without being aware of the corresponding plaintext. Our
definition is weaker in the sense that it only requires the adversary to have implicit knowledge on the plaintext.
2

Constrained chosen-ciphertext secure KEMs formalize a new design paradigm for efficient
hybrid encryption. To guarantee chosen-ciphertext security for hybrid encryption schemes it is
sufficient to verify a natural security condition on the key encapsulation part. We assess the
constructive appeal of this framework by demonstrating that the original Kurosawa-Desmedt
scheme [24], along with its variants [2, 29] and all hash-proof systems based schemes [13, 24],
can be thoroughly explained through it. We furthermore present a new IND-CCCA secure KEM
from the DDH assumption and show how to build a class of practical KEMs from progressively
weaker assumptions than DDH.
Constrained chosen-ciphertext secure KEM from DDH. We propose a new KEM
which is IND-CCCA secure under the DDH assumption. Although it relies on different proof
techniques (it is not based on hash proof systems), syntactically it is reminiscent to the one by
Kurosawa and Desmedt and can in fact be viewed as its dual (in the sense that certain parts
from the ciphertext and the symmetric key are swapped in our scheme). Even though it is
not much more efficient than the scheme by Kurosawa and Desmedt, we still consider it to be
interesting since it constitutes the first efficient DDH-based encryption scheme that is not based
on hash proof systems.
Constrained chosen-ciphertext secure KEM from n-Linear. Building on [9, 21] we
introduce a new class of purely algebraic intractability assumptions, the n-Linear assumptions,
where n ≥ 1 is a parameter. They are such that the DDH assumption equals the 1-Linear
assumption, the Linear assumption [9] equals the 2-Linear assumption, and the n-Linear as-
sumptions become strictly weaker as the parameter n grows. More precisely, 1-Linear = DDH,
and n-Linear implies n + 1-Linear, but (in the generic group model [35]) n + 1-Linear is still
hard relative to an n-Linear oracle. In fact, for n ≥ 2 the n-Linear assumption does not seem
to be invalid in any obvious sense even in the groups from [19], in which the DDH problem
is easy, and the computational Diffie-Hellman problem is supposedly hard. We generalize the
KD scheme and its dual to a class of parametrized KEMs and prove their IND-CCCA security
assuming n-Linear. These appear to be the first practical encryption schemes in the literature
from a purely algebraic assumption which is strictly weaker than DDH.
Computational Hash-Proof Systems. We propose a purely computational variant of hash-
proof systems. Generalizing [13, 24], we prove that computational hash-proof systems directly
imply IND-CCCA secure KEMs. Hence, in combination with authenticated encryption, they
yield efficient IND-CCA secure hybrid encryption. The Kurosawa-Desmedt scheme fits this
framework, i.e. the underlying HPS is computational. This gives the first full explanation of
the Kurosawa-Desmedt scheme in terms of HPS. As a generalization we provide computational
hash-proof systems from the n-Linear assumptions hence explaining IND-CCCA security of our
class of KEMs from the n-Linear assumptions.
1.2 Discussion and related work
In [1] (which is the full version of [2]), Abe et al. address the question from [24] about the
existence of a natural weaker security condition for KEMs. They propose the notion of LCCA
secure KEMs with respect to the predicate Pmac and prove it sufficient to obtain, in combination
with a MAC, IND-CCA secure tag-KEMs (and hence IND-CCA secure hybrid encryption).
Though syntactically similar to ours, their notion mingles security of the KEM with the MAC
part of the symmetric encryption scheme. The conceptual difference in our notion is that
we give a general security definition for KEMs that is completely independent of any particular
symmetric primitive. We think that this is more natural and more closely follows the spirit of the
3

KEM/DEM approach [14], where (for good reason) KEM and DEM are viewed as independent
components.
Independent from this work Shacham [34] also proposes a family of hybrid encryption schemes
from the n-Linear assumptions. His schemes can be viewed as a (slightly less eﬃcient) Cramer-
Shoup variant of our schemes from Section 5.2.
The 2-Linear assumption was introduced by Boneh, Boyen, and Shacham [9] and was later
used in gap-groups to build an IND-CCA secure KEM [22]. For n > 2, Kiltz [21] introduced
the class of gap n-Linear assumptions and (generalizing [22]) built a class of IND-CCA secure
KEMs from it. Compared to n-Linear, in the latter gap-assumptions an adversary gets access to
a DDH oracle which makes (for example) the gap 2-Linear assumption incomparable to DDH.
In contrast, our motivation is to build schemes from an assumption weaker than DDH.
2 Preliminaries
2.1 Notation
If x is a string, then |x| denotes its length, while if S is a set then |S| denotes its size. If k ∈ N
then 1k denotes the string of k ones. If S is a set then s
$
← S denotes the operation of picking
an element s of S uniformly at random. We write A(x, y, . . .) to indicate that A is an algorithm
with inputs x, y, . . . and by z
$
← A(x, y, . . .) we denote the operation of running A with inputs
(x, y, . . .) and letting z be the output. We write AO1,O2,...(x, y, . . .) to indicate that A is an
algorithm with inputs x, y, . . . and access to oracles O1, O2, . . . and by z
$
← AO1,O2,...(x, y, . . .)
we denote the operation of running A with inputs (x, y, . . .) and access to oracles O1, O2, . . .,
and letting z be the output.
2.2 Public-Key Encryption
A triple PKE = (PKE.kg, PKE.Enc, PKE.Dec) is a public-key encryption (PKE) scheme, if
PKE.kg and PKE.Enc are probabilistic PTA, and PKE.Dec is a deterministic polynomial-time
algorithm. For consistency, we require that for all k ∈ N, all messages M, it must hold that
Pr[PKE.Dec(sk, PKE.Enc(pk, M)) = M] is overwhelming in k, where the probability is taken
over the above randomized algorithms and (pk, sk)
$
← PKE.kg(1k).
The security we require for PKE is IND-CCA security [30, 15]. To an adversary A = (A1, A2)
we associate the following experiment Expcca
PKE,A(k).
Experiment Expcca
PKE,A(k)
(pk, sk)
$
← PKE.kg(1k)
(M0, M1, St1)
$
← A
PKE.Dec(sk,·)
1 (pk) s.t. |M0| = |M1|
b
$
← {0, 1} ; C∗
pke
$
← PKE.Enc(pk, Mb)
b
$
← A
PKE.Dec(sk,·)
2 (C∗
pke, St1)
If b = b return 1 else return 0
The adversary A2 is restricted not to query PKE.Dec(sk, ·) with C∗
pke. We deﬁne the advantage
of A in the experiment as
Advcca
PKE,A(k) = Pr[Expcca
PKE,A(k) = 1] −
1
2
.
4

PKE scheme PKE is said to be indistinguishable against chosen-ciphertext attacks (IND-CCA
secure in short) if the advantage function Advcca
PKE,A(k) is a negligible function in k for all
adversaries A = (A1, A2) with PTA A1, A2.
For integers k, t, Q we also define
Advcca
PKE,t,Q(k) = max
A
Advcca
PKE,A(k),
where the maximum is over all A that fulfill tA ≤ t and QA ≤ Q.
2.3 Key Encapsulation Mechanisms
A key-encapsulation mechanism KEM = (KEM.Kg, KEM.Enc, KEM.Dec) with key-space K(k)
consists of three polynomial-time algorithms (PTAs). Via (pk, sk)
$
← KEM.Kg(1k ) the ran-
domized key-generation algorithm produces public/secret keys for security parameter k ∈ N;
via (K, C)
$
← KEM.Enc(pk) the randomized encapsulation algorithm creates a uniformly dis-
tributed symmetric key K ∈ K(k) together with a ciphertext C; via K ← KEM.Dec(sk, C)
the possessor of secret key sk decrypts ciphertext C to get back a key K which is an element
in K or a special reject symbol ⊥. For consistency, we require that for all k ∈ N, and all
(K, C)
$
← KEM.Enc(pk) we have Pr [ KEM.Dec(sk, C) = K ] = 1, where the probability is taken
over the choice of (pk, sk)
$
← KEM.Kg(1k ), and the coins of all the algorithms in the expression
above. Here we only consider only KEMs that produce perfectly uniformly distributed keys (i.e.,
we require that for all public keys pk that can be output by KEM.Kg, the first component of
KEM.Enc(pk) has uniform distribution).3
The common requirement for a KEM is indistinguishability against chosen-ciphertext attacks
(IND-CCA) [14] where an adversary is allowed to adaptively query a decapsulation oracle with
ciphertexts to obtain the corresponding key. We will not give the formal definition of IND-
CCA for KEMs. Instead we refer the reader to Section 3 where we introduce a new, weaker
security notion for KEMs that is sufficient for our goal of constructing IND-CCA secure hybrid
encryption.
2.4 Authenticated Encryption
An authenticated symmetric encryption (AE) scheme AE = (AE.Enc, AE.Dec) is specified by its
encryption algorithm AE.Enc (encrypting M ∈ MsgSp(k) with keys K ∈ K(k)) and decryption
algorithm AE.Dec (returning M ∈ MsgSp(k) or ⊥). Here we restrict ourselves to deterministic
PTAs AE.Enc and AE.Dec. The AE scheme needs to provide privacy (indistinguishability against
one-time attacks) and authenticity (ciphertext authenticity against one-time attacks). This is
simulataneously captured (similar to the more-time attack case [32]) by defining the ae-ot-
advantage of an adversary Bae
Advae-ot
AE,Bae
(k) = Pr[K
$
← K(k) ; b
$
← {0, 1} ; b
$
← BLoRb(·,·),DoRb(·)
ae (1k
) : b = b ] − 1/2 .
Here, LoRb(M0, M1) returns ψ ← AE.Enc(K, Mb), and Bae is allowed only one query to this left-
or-right encryption oracle (one-time attack), with a pair of equal-length messages. Furthermore,
the decrypt-or-reject oracle DoR1(ψ) returns M ← AE.Dec(K, ψ) and DoR0(ψ) always returns
3
This requirement is met by all popular KEMs and makes our reduction in Theorem 3.1 tighter. However,
we can show Theorem 3.1 also without this assumption, and derive that the keys are computationally close to
uniform from our upcoming KEM security assumption. This comes at the price of a less tight security reduction
in Theorem 3.1.
5

⊥ (reject), Bae is allowed only one query to this decrypt-or-reject oracle which must be different
from the output of the left-or-right oracle.
We say that AE is a one-time secure authenticated encryption scheme (AE-OT secure) if
the advantage function Advae-ot
AE,Bae
(k) is negliglible for all PTA Bae. Again, for integers k, t,
Advae-ot
AE,t (k) = maxBae Advae-ot
AE,Bae
(k), where the maximum is over all Bae that fulfill tBae ≤ t.
3 Hybrid encryption from Constrained CCA secure KEMs
3.1 Constrained Chosen-Ciphertext Security for KEMs
The common requirement for a KEM is security against chosen-ciphertext attacks [14] where an
adversary is allowed to adaptively query a decapsulation oracle with ciphertexts to obtain the
corresponding key. We relax this notion to contrained chosen-ciphertext security. Intuitively,
we only allow the adversary to make a decapsulation query if it already has some “a priori
knowledge” about the decapsulated key. This partial knowledge about the key is modeled im-
plicitly by letting the adversary additionally provide an efficiently computable Boolean predicate
pred : K → {0, 1}. If pred(K) = 1 then the decapsulated key K is returned, and ⊥ otherwise.
The amount of uncertainty the adversary has about the key (denoted as “plaintext uncertainty”
where for KEMs the plaintext is the symmetric key) is measured by the fraction of keys the
pedicate evaluates to 1. We require this fraction to be negligible, i.e. the adversary has to have
a high a priori knowledge about the decapsulated key when making a decapsulation query.
We now turn to a more formal definition. To an adversary A we associate the following
experiment Expccca
KEM ,A
(k).
Experiment Expccca
KEM ,A
(k)
(pk, sk)
$
← KEM.Kg(1k)
K∗
0
$
← K(k) ; (K∗
1 , C∗)
$
← KEM.Enc(pk)
b
$
← {0, 1}
b
$
← ACDec(·,·)(pk, K∗
b , C∗)
CDec(predi, Ci)
K ← KEM.Dec(sk, Ci)
If K = ⊥ or predi(K) = 0 then ⊥
Else return K ∈ K
with the restriction that A is only allowed to query CDec(predi, Ci) on predicates predi that
are provided as PTA4 and on ciphertexts Ci different from the challenge ciphertext C∗.
We define the advantage of A in the experiment as
Advccca
KEM ,A(k) = Pr[Expccca
KEM ,A(k) = 1] −
1
2
.
For an adversary A, let tA denote the number of computational steps A runs (that includes
the maximal time to evaluate each predi once), and let QA be the number of decapsulation
queries A makes to its decapsulation oracle. For simplicity and without losing on generality,
we consider only adversaries for which tA and QA are independent of the environment that
A runs in. To adversary A in the above experiment we also associate A’s (implicit) plaintext
uncertainty uncertA(k) when making decapsulation queries. Informally, uncertA(k) measures
4
Technically, we charge the time required to evaluate each predi to A’s runtime and require that A be
polynomial-time.
6

the average fraction of keys that a predicate predi accepts, when running in environments that
are at least as efficient as the original CCCA experiment.5
Formally, for an adversary A and an environment E that A interacts with (e.g., E could be
the original CCCA experiment that interacts with A), define
uncertA,E(k) =
1
Q
1≤i≤Q
Pr
K∈K
[predi(K) = 1 when A runs with E] ,
where predi : K → {0, 1} is the predicate A submits in the ith decapsulation query. A CCCA
adversary A is called valid, iff
• A is PTA, and
• for all environments E satisfying tE ≤ tCCCA, we have that uncertA,E(k) is negligible in
k. Here, tCCCA denotes the runtime of the original CCCA experiment (not counting the
adversary runtime and the runtime taken for evaluating predicates).
Finally, a key encapsulation mechanism KEM is said to be indistinguishable against con-
strained chosen ciphertext attacks (IND-CCCA or simply CCCA) if for all valid PTA adver-
saries A, the advantage function Advccca
KEM ,A(k) is negligible in k.
It is worth pointing out that by making different restrictions on uncertA(k) our notion
of CCCA security leads to an interesting continuum between CPA and CCA security. With
the restriction uncertA(k) = 0 then CCCA = CPA; with the trivial restriction uncertA(k) ≤ 1
(which makes is possible to always use the constant predicate pred(K) := 1) then CCCA = CCA.
Concrete security. In the following, we will be interested in a concrete security treatment.
That is, we want not only an asymptotic security statement from an asymptotic computational
assumpion; we also want a statement that shows exactly how much security one gets from a
given non-asymptotic version of the assumption.
First, the notion of a valid adversary is asymptotic and thus doesn’t make sense in a concrete
treatment. We refine the central notion of uncert(·) therefore as follows:
uncertA(k) = max
E
tE ≤tCCCA
1
Q
1≤i≤Q
Pr
K∈K
[predi(K) = 1 when A runs with E] ,
where as before, tCCCA denotes the runtime of the original IND-CCCA experiment. Note that
we take the maximum of this average probability over all environments that are at least as
efficient as the original IND-CCCA experiment.
Now the non-asymptotic, concrete version of CCCA security can be captured as follows: for
integers k, t, Q, and for 0 ≤ µ ≤ 1, let
Advccca
KEM ,t,Q,µ(k) = max
A
tA≤t, QA≤Q,
uncertA(k)≤µ
Advccca
KEM ,A(k),
We also stress the following: demanding that Advccca
KEM ,t,Q,µ(k) be negligible for all polyno-
mials t, Q, and all negligible functions µ is not the same as demanding CCCA security. Namely,
5
One might wonder why we require a certain property of A’s submitted predicates even in more or less
arbitrary environments E (instead of, say, only in the CCCA game). The reason is that to show CCCA security
of a particular scheme, it will be helpful to use this stronger assumption on A in (slightly) modified environments
(e.g., in an already slightly modified CCCA game).
7

the former is the non-uniform version of CCCA security. (That is, CCCA security against ad-
versaries that are non-uniform, polynomial-sized circuit families.) This is not an artifact of our
definition, but a general phenomenon of definitions geared towards capturing concrete security.
In any case, all our reductions below consist of uniform reductions, so what we show is in fact
both uniform and non-uniform security.
An alternative formulation of CCCA security. We remark that it is possible to restrict
the CDec(·, ·) oracle in the CCCA experiment to only output predi(K) ∈ {0, 1} (and not
the key itself in case predi(K) = 1). Note that this does not restrict the adversary since in
case predi(K) = 1 it is always possible to reconstruct the whole key K by making |K(k)| =
poly(k) additional CCCA decapsulation queries with the predicates predi,j(K ) := “predi(K ) ∧
bitj(K ) = 1”, for 1 ≤ j ≤ |K(k)|. This determines the key K bit-wise.
3.2 Hybrid Encryption
Let KEM = (KEM.Kg, KEM.Enc, KEM.Dec) be a KEM and let AE = (AE.Enc, AE.Dec) be an
authenticated encryption scheme. We assume that the two schemes are compatible in the sense
that for all security parameters k, we have that the KEM’s and the AE’s key-space are equal.
Then we can consider a hybrid public key encryption scheme that encrypts arbitrary messages
M ∈ MsgSp. The construction of PKE = (PKE.kg, PKE.Enc, PKE.Dec) is as follows.
PKE.kg(1k )
(pk, sk)
$
← KEM.Kg(1k )
Return (pk, sk)
PKE.Enc(pk, M)
(K, C)
$
← KEM.Enc(pk)
ψ ← AE.Enc(K, M)
Return Cpke = (C, ψ)
PKE.Dec(sk, Cpke = (C, ψ))
K ← KEM.Dec(sk, C)
M ← AE.Dec(K, ψ)
Return M or ⊥
Here PKE.Dec returns ⊥ if either KEM.Dec or AE.Dec returns ⊥.
The following shows that a IND-CCCA secure KEM and a AE-OT secure authenticated
encryption scheme yields a IND-CCA secure PKE scheme.
Theorem 3.1 Assume KEM is secure in the sense of IND-CCCA and AE is secure in the sense
of AE-OT. Then PKE is secure in the sense of IND-CCA. In particular,
Advcca
PKE,t,Q(k) ≤ Advccca
KEM ,t,Q,2Advae-ot
AE,t
(k),E
(k) + (Q + 1) · Advae-ot
AE,t (k) +
Q
|K|
,
where t := t + tCCCA for the runtime tCCCA of the original IND-CCCA experiment.
The intuition of the proof is quite simple. The standard composition theorem [14] shows that
in the above construction a IND-CCA secure KEM can be combined with a CCA secure DEM.
Here we only require the KEM to be IND-CCCA secure. We deal with the full CCA decryption
queries in the hybrid PKE scheme as follows. A decryption query of an adversary in the IND-
CCA game consists of a KEM ciphertext C plus a DEM ciphertext ψ. In the reduction we use
the predicate predψ(·) defined as predψ(K) = 0 if AE.Dec(K, ψ) returns ⊥ and predψ(K) = 1
otherwise. (That is, ψ is hard-coded into predψ.) By the ciphertext authenticity property of
AE this predicate has small plaintext uncertainty, i.e. uncert(k) ≤ 2Advae-ot
AE,B(k). On the other
hand, this hybrid decryption query can be correctly simulated using the output from the CCCA
decapsulation query (which is a symmetric key or ⊥) since an inconsistent ψ (with respect to
the symmetric key) will already lead the predicate predψ(·) to be zero and hence the CCCA
decapsulation query correctly returns reject. For a consistent ψ the predicate evaluates to one
8

and the CCCA decapsulation query returns the correct symmetric key that in turn can be used
to obtain the message from ψ.
We now give a formal proof of Theorem 3.1.
Proof: Let A be an adversary on the IND-CCA security of the hybrid scheme. We will consider
a sequence of games, Game 1, Game 2, . . . , each game involving A. Let Xi be the event that in
Game i, it holds that b = b , i.e., that the adversary succeeds. We will make use of the following
simple “Difference Lemma” [14].
Lemma 3.2 Let X1,X2, B be events, and suppose that X1 ∧ ¬B ⇔ X2 ∧ ¬B. Then |Pr [ X1 ] −
Pr [ X2 ]| ≤ Pr [ B ].
Game 1. The original PKE IND-CCA game, i.e. we have
| Pr[X1] − 1/2| = Advcca
PKE,A(k) .
Game 2. Let C∗
pke = (C∗, ψ∗) be the challenge ciphertext in the PKE IND-CCA game. In
this game the decryption oracle in the first phase rejects all ciphertexts of the form Cpke =
(C∗, ∗). The view of adversary A is identical in Games 1 and 2 until a decryption query
(C∗, ∗) is made in the first phase of the IND-CCA experiment (so before A gets to see C∗).
Since the key K encapsulated in C∗ is uniformly distributed and independent of A’s view
in the first phase, we have
| Pr[X2] − Pr[X1]| ≤
Q
|K|
.
Note that each ciphertext uniquely determines a key.
Game 3. Replace the symmetric key K∗ used to create the PKE challenge ciphertext with a
random key K∗, uniformly independently chosen from K. The proof of the following key
lemma is postponed until later.
Lemma 3.3 | Pr[X3] − Pr[X2]| ≤ Advccca
KEM ,t,Q,2Advae-ot
AE,t (k)
(k).
Game 4. Reject all ciphertexts Cpke of the form (C∗, ∗). Since ψ∗ was generated using a
random key K∗ ∈ K that only leaks to A through ψ∗, authenticity of AE implies
| Pr[X4] − Pr[X3]| ≤ QA · Advae-ot
AE,Bae
(k)
for a suitable adversary Bae that simulates Game 3, using the LoRb with two identical
messages to obtain the AE part of the challenge ciphertext. Bae simply uniformly picks
one AE part of a decryption query of the form (C∗, ψ) to submit to the decrypt-or-reject
oracle DoR1(·).
Finally, Game 4 models one-time security of the AE scheme, and we have
| Pr[X4] − 1/2| ≤ Advae-ot
AE,t (k) .
Collecting the probabilities proves the theorem.
It leaves to prove Lemma 3.3.
9

Proof of Lemma 3.3: We show that there exists an adversary Bkem against the IND-CCCA
security of KEM with tBkem
= tA, QBkem
= QA, and for every PTA environment E there is an
adversary Bae against AE with tBae = tA + tE, such that
uncertBkem
(k) ≤ 2Advae-ot
AE,Bae
(k) (1)
Pr[X2] = Pr[Expccca
KEM ,Bkem
(k) = 1 | b = 1] (2)
Pr[X3] = Pr[Expccca
KEM ,Bkem
(k) = 1 | b = 0] . (3)
The adversary Bkem against the CCCA security of KEM is defined as follows. Bkem inputs
(pk, K∗
b , C∗) for an unknown bit b. First, Bkem runs A1 on input pk. For the ith decryption
query (Ci, ψi) made by adversary A1, adversary Bkem defines the function predi : K → {0, 1} as
predi(K) :=
0 : if AE.Dec(K, ψi) returns ⊥
1 : otherwise
Note that the symmetric ciphertext ψi is hard-coded into predi(·). Clearly, predi(·) is efficiently
computable. If Ci = C∗ then B returns ⊥. Otherwise, Bkem queries (predi, Ci) to its own oracle
CDec(·, ·) and receives the following answer: If KEM.Dec(sk, Ci) returns a key Ki ∈ K such that
AE.Dec(Ki, ψi) = ⊥, then CDec(predi, Ci) returns the key Ki. Otherwise (if KEM.Dec(sk, Ci) =
⊥ or if AE.Dec(Ki, ψi) = ⊥), CDec(predi, Ci) returns ⊥. Note that by the syntax of AE this
can be used to perfectly simulate A’s decryption queries.
For A’s encryption challenge for two messages M0, M1, Bkem uses its own input (K∗
b , C∗) together
with a random bit δ to create a challenge ciphertext C∗
pke = (C∗, ψ∗ ← AE.Enc(K∗
b , Mδ)) of
message Mδ. Adversary Bkem runs A2(C∗
pke, St1), answering decryption queries as defined above
with the difference that all decryption queries of the form (C∗, ψ) (with ψ = ψ∗) are answered
with withever AE.Dec(K∗
b , ψ) returns (a message or ⊥). Evntually, A2 returns a guess bit δ for
δ and Bkem concludes its game with outputting b = 1 if δ = δ and b = 0, otherwise. This
completes the description of Bkem.
Adversary Bkem always perfectly simulates A’s decapsulation queries. In case b = 1, Bkem uses
the real key K∗
1 for A’s simulation which implies Equation (2). In case b = 0, Bkem uses a
random key K∗
0 for A’s simulation which implies Equation (3).
The complexity bounds for Bkem are clear from the construction, and it is left to show that for
any given efficient environment E, uncertBkem
(k) = 2Advae-ot
AE,Bae
(k) for a suitable Bae.
To this end we build an adversary Bae against the AE security of AE as follows. Bae inputs
1k and internally simulates an interaction between A and E completely faithfully. However,
Bae additionally picks a random index j∗ ∈ {1, . . . , Q}. On A’s j∗ decryption query (Cj∗ , ψj∗ ),
Bae submits ψj∗ to its own decryption-or-reject oracle DoRb(·), and outputs b = 0 iff DoRb(·)
rejects with ⊥.
Now Bae will always output b = 0 if b = 0 by definition of DoR0. In case b = 1, Bae will output
b = 1 iff the ciphertext ψj∗ is valid in the sense AE.Dec(K , ψj∗ ) = ⊥ for an independent,
uniformly (by the AE experiment) chosen key K . So adversary Bae’s advantage is as follows.
Advae-ot
AE,Bae
(k) =
1
2
Pr[K
$
← K : AE.Dec(K , ψj∗ ) = ⊥] =
1
2QA
QA
j∗=1
predj∗ (K ) =
1
2
uncertBkem ,E(k),
where predj∗ (·) = AE.Dec(·, ψj∗ ) is the predicate adversary Bkem submits to oracle CDec as the
j∗th query.
10

4 Efficient Key Encapsulation from DDH
4.1 Building blocks
We describe the building blocks used and assumptions made about them.
Group schemes. A group scheme GS [14] specifies a sequence (GRk)k∈N of group descriptions.
For every value of a security parameter k ∈ N, GRk specifies the four tuple GRk = (ˆGk, Gk, pk, gk)
(for notational convenience we sometimes drop the index k). GRk = (ˆG, G, p, g) specifies a finite
abelian group ˆG, along with a prime-order subgroup G, a generator g of G, and the order p
of G. We denote the identity element of G as 1G ∈ G. We assume that ˆG is of order q = p p
and that it takes |q| bits to represent an element in G. We further assume the existence of an
efficient sampling algorithm x
$
← G and an efficient membership algorithm that test if a given
element x ∈ ˆG is contained in the subgroup G.
We further assume the DDH problem is hard in GS, captured by defining the ddh-advantage
of an adversary Bddh as
Advddh
GS,Bddh
(k) =
1
2
|Pr[Bddh(g, h, ga
, ha
) = 1] − Pr[Bddh(g, h, ga
, K) = 1]| ,
where g, h, K
$
← G and a ← Z∗
p.
Authenticated Encryption. We need an abstract notion of algebraic authenticated encryp-
tion where the keyspace consists of G, secure in the sense of OT-AE. In Appendix D we recall
(following the encrypt-then-mac approach [5, 14]) how to build such algebraic AE satisfying all
required functionality and security from the following basic primitives:
• A (computationally secure) one-time symmetric encryption scheme with binary k-bit keys
(such as AES or padding with a PRNG)
• A (computationally secure) MAC (existentially unforgeable) with k-bit keys
• A (computationally secure) key-derivation function (pseudorandom).
We remark that for our purposes it is also possible to use a more efficient single-pass authen-
ticated encryption scheme (see, e.g., [31]). In both cases the the ciphertext expansion (i.e.,
ciphertext size minus plaintext size) of the AE scheme is only k (security parameter) bits which
is optimal with respect to our security notion.
Target Collision Resistant Hashing. TCR = (TCRk)k∈N is a family of keyed hash func-
tions TCRs
k : G → Zp for each k-bit key s. It is assumed to be target collision resistant
(TCR) [14], which is captured by defining the tcr-advantage of an adversary Btcr as
Advtcr
TCR,Btcr
(k) = Pr[TCRs
(c∗
) = TCRs
(c) ∧ c = c∗
: s
$
← {0, 1}k
; c∗ $
← G ; c
$
← Btcr(s, c∗
)].
Note TCR is a weaker requirement than collision-resistance, so that, in particular, any practical
collision-resistant function can be used. Also note that our notion of TCR is related to the
stronger notion of universal one-way hashing [25], where in the security experiment of the latter
the target value c∗ is chosen by the adversary (but before seeing the hash key s).
Commonly [14, 24] this function is implemented using a dedicated cryptographic hash func-
tion like MD5 or SHA, which we assume to be target collision resistant. Since |G| = |Zp| = p
we can alternatively also use a fixed (non-keyed) bijective encoding function INJ : G → Zp.
In that case we have a perfectly collision resistant hash function, i.e. Advtcr
INJ,Btcr
(k) = 0. In
Appendix C, we show how to build such bijective encodings for a number of concrete group
schemes.
11

4.2 The key-encapsulation mechanism
Let GS be a group scheme where GRk specifies (ˆG, G, g, p) and let TCR : G → Zp be a target
collision resistant hash function (for simplicity we assume TCR to be non-keyed). We build a
key encapsulation mechanism KEM = (KEM.kg, KEM.Enc, KEM.Dec) with K = G as follows.
KEM.Kg(1k)
x, y, ω
$
← Z∗
p
u ← gx ; v ← gy ; h ← gω
pk ← (u, v, h) ∈ G3
sk ← (x, y, ω) ∈ (Zp)3
Return (sk, pk)
KEM.Enc(pk)
r
$
← Z∗
p ; c ← gr
t ← TCR(c) ; π ← (utv)r
C ← (c, π) ∈ G2
K ← hr ∈ G
Return (C, K)
KEM.Dec(sk, C)
Parse C as (c, π) ∈ ˆG × ˆG
if c ∈ G return ⊥
t ← TCR(c)
if cxt+y = π return ⊥
Return K ← cω
We stress that decryption never explicitly checks if π ∈ G; this check happens implicitly when
c ∈ G and cxt+y = π is checked.
A correctly generated ciphertext has the form C = (c, π) ∈ G × G, where c = gr and
π = (utv)r = (gxt+y)r = cxt+y. Hence decapsulation will not reject and compute the key
K = cω = hr, as in encapsulation.
Encryption takes four standard exponentiations plus one application of TCR, where the
generation of π can also be carried out as a single multi-exponentiation [7]. Decryption takes
two exponentiations plus one application of TCR, where the two exponentiations can also be
viewed as one sequential exponentiation [7] (which is as efficient as a multi-exponentiation) to
simultaneously compute cxt+y and cω.
Theorem 4.1 Let GS be a group scheme where the DDH problem is hard and assume TCR is
target collision resistant. Then KEM is secure in the sense of IND-CCCA. In particular,
Advccca
KEM ,t,Q,uncert(k)(k) ≤ Advddh
GS,t(k) + Advtcr
TCR ,t(k) + Q · uncert(k) +
Q
p
.
In combination with Theorem 3.1 we obtain the following concrete security result.
Corollary 4.2 The hybrid encryption scheme PKE obtained by combining KEM with authen-
ticated encryption AE is secure in the sense of IND-CCA. In particular,
Advcca
PKE,t,Q(k) ≤ Advddh
GS,t(k) + Advtcr
TCR ,t(k) + (2Q + 1) · Advae-ot
AE,t (k) +
2Q
p
.
Before we give a formal proof we give some intuition why the KEM is IND-CCCA secure.
The difficulty with the simulation is that an adversary against the DDH assumption (simulating
an adversary’s view) has to distinguish between consistent ciphertexts (i.e., ciphertexts for that
cxt+y = π holds) and inconsistent ciphertexts, without knowing the secret key. The idea of the
proof is as follows. The simulator inputs (g, h, c∗ = gr, K∗) and wants to distinguish K∗ = hr
from a random element in G. In the simulation the values u, v from the public-key are set-
up such that the tuple (c∗, π∗) can be used as the challenge ciphertext (for some efficiently
computable π∗) and the value K∗ as the session key. By construction, the corresponding real
session key is hr so breaking IND of the KEM is equivalent to solving the DDH problem. It
leaves to deal with the decapsulation queries under a CCCA attack. The simulator is not able to
distinguish consistent from inconsistent ciphertexts. However, the simualor uses an alternative
decapsulation algorithm with the following two properties:
12

• If the queried ciphertext is consistent (and as long as it is distinct from the challenge
ciphertext) then the alternative decapsulation algorithm yields the correct session key K.
This is done using an algebraic trick from selective-ID secure identity-based encryption [8].
• If the queried ciphertext is inconsistent then the alternative decapsulation algorithm yields
one virtual session key K that is uniformly distributed over G (in an information theoretic
sense). The probability space is taken over all possible secret keys of the simulator that
yield the public-key given to the adversary. Returning the virtual key K to the adversary
would completely determine the simulator’s secret key and hence also the virtual key K
for the next decapsulation query. However, in the IND-CCCA game it will be hard for an
adversary to provide sufficient information about K (in form of the predicate pred) such
that inconsistent decapsulation queries will nearly always lead to a rejection and the same
argument can be repeated iteratively.
We now turn to a formal proof.
Proof: First, if a key pair (pk, sk) with pk = (h, u, v) and sk = (ω, x, y) is clear from the context,
we call a ciphertext C = (c, π) consistent iff cxt+y = π holds for the tag t := TCR(c). Note that
C is hence consistent iff logg(c) = logutv(π).
Let A be an adversary on the IND-CCCA security of the KEM. We will consider a sequence of
games, Game 1, Game 2, . . . , each game involving A. Let Xi be the event that in Game i, it
holds that b = b , i.e., that the adversary succeeds.
Game 1. The KEM IND-CCCA game with random b ∈ {0, 1}, i.e., we have
| Pr[X1] − 1/2| = Advccca
KEM ,A(k) .
Let us fix some notation. Let C∗ = (c∗, π∗) = (ga, (ut∗
v)a) be the challenge ciphertext
(where t∗ = TCR(c∗)) and let K∗
1 = ha be the real challenge key.
Game 2. The decryption oracle immediately rejects all ciphertexts (c, π) with c = c∗ and
t = t∗ (TCR check). Since Game 1 and Game 2 proceed identically until c = c∗ and
TCR(c) = t = t∗ = TCR(c∗), we have Lemma 3.2
| Pr[X2] − Pr[X1]| ≤ Advtcr
TCR,Btcr
(k).
Game 3. Change generation of the secret key as follows. Pick uniformly values x1, x2, y1 ∈ Zp
with x2 = 0 and define
x = x1 + ωx2 ; y = y1 + ω(−t∗
x2) . (4)
Note that public and secret key have exactly the same distribution as in the last game.
We will now rewrite the experiment in terms of x1, x2, and y1 (our goal is to run the
experiment without knowledge of ω). Equation (4) defines the public key as
u = gx1
hx2
; v = gy1
h−t∗x2
(5)
Note that now the consistency check cxt+y = π needs to know ω. The change of the secret
key also implicitly affects the generation of the element π∗ in the challenge ciphertext.
Creation of challenge ciphertext C∗ and real key K∗
1 now simplifies to
c∗
= ga
; π∗
= (ga
)x1t∗+y1
; K∗
1 = ha
. (6)
13

Hence (c∗, π∗) is a correctly generated ciphertext for the real key K∗
1 with randomness a ∈
Zp since by Equations (4) and (5) we have (ut∗
v)a = (gx1t∗+y1 hx2(t∗−t∗))a = (ga)x1t∗+y1 =
π∗. Note that the experiment does not explicitly know the randomness a, only the values
ga and ha. Since the changes are purely conceptual we have
Pr[X3] = Pr[X2].
Game 4. Consider a query (pred, C) adversary A makes to the oracle CDec(·, ·) and recall
that pred : G → {0, 1} is some eﬃciently computable predicate. After the TCR check,
such a query is now processed in the following way. If the ciphertext C is inconsistent (this
is checked using ω) it gets rejected. If the ciphertext C = (c, π) is consistent (by C = C∗
at this point we have t = t∗) compute K as
K =
π
cx1t+y1
1
x2(t−t∗)
. (7)
If pred(K) = 0, then reject, and return K otherwise.
This change is purely conceptual since for any consistent ciphertext with t = t∗ we have π =
(utv)r = (gx1t+y1 hx2(t−t∗))r = cx1t+y1 Kx2(t−t∗) which implies correctness of Equation (7).
Consequently,
Pr[X4] = Pr[X3].
Game 5. A query (pred, C) adversary A makes to the oracle CDec(·, ·) is now processed in
the following way. After the TCR check, for all ciphertexts C = (c, π) (consistent and
inconsistent alike) the key K is decapsulated using Equation (7). If pred(K) = 0, then
reject, and return K otherwise.
Note that at this point the experiment does not make use of ω = logg h anymore and hence
the value h ∈ G from the public key can be generated as a random group element. The
proof of the following key lemma will be given later.
Lemma 4.3
| Pr[X5] − Pr[X4]| ≤ Q · (uncertA(k) +
1
p
)
.
Intuitively the lemma holds since for one inconsistent ciphertext submitted to the CDec(·, ·)
oracle, the virtual key K computed as in Equation (7) looks like a uniform and unde-
pendent element in the view of the adversary (the probability space is the redundancy
contained in sk that is information-theoretically hidden from pk). But for a random in-
dependent key K, the probability that pred(K) = 1 (meaning the ciphertext does not
get rejected) is bounded by uncertA(k) which is negligible by assumption. Hence, with
high probability the inconsistent ciphertext gets rejected and the virtual key K remains
hidden from the adversary’s view. This makes it possible to use a hybrid argument to
show that, with high probability, all inconsistent ciphertexts get rejected in Game 5, just
as in Game 4.
Game 6. The real challenge key K∗
1 is replaced by the random key K∗
0 ∈ G. Since in Game 5
we had K∗
1 = ha and apart from that the experiment was run using the values g, h, ga only
(where all three elements are random group elements), we have
| Pr[X6] − Pr[X5]| ≤ Advddh
G,Bddh
(k).
14

(Note that K∗
1 is only used for b = 1, which occurs with probability 1/2.)
Finally, in Game 6 the distribution of the challenge key K∗
0 does not depend on b, and
consequently
Pr[X6] = 1/2 .
It leaves to prove Lemma 4.3.
Proof: For j ∈ {1, . . . , Q}, let Ej denote the event that in Game 4, adversary A submits as j-th
decryption query a ciphertext (Cj, predj) that gets rejected, but would not have been rejected
in Game 5. Let E := E1 ∨ . . . ∨ EQ. Analogously, let F denote the event that in Game 5,
adversary A submits at any point a decapsulation query that does not get rejected, but would
have been rejected in Game 4. Games 4 and 5 proceed identical unless a decapsulation query
gets treated differently. Consequently,
Pr [ X4 ∧ ¬E ] = Pr [ X5 ∧ ¬F ] and Pr [ E1 ] + . . . + Pr [ EQ ] ≥ Pr [ E ] = Pr [ F ]. (8)
Now consider events Êj, where for j ∈ {1, . . . , Q}, event Êj denotes that the j-th decryption
query (Cj, predj) in Game 4 gets rejected, but predj(K ) = 1 under an independently uniformly
chosen symmetric key K
$
← G. By definition of uncert(k) we have
1
Q
·


1≤j≤Q
Pr[ Êj]

 ≤ uncertA(k),
since Game 4 has the same complexity as the original IND-CCCA experiment.6 We now claim
that
for all j: | Pr[ Êj] − Pr[Ej]| ≤ 1/p . (9)
This implies
Pr [ E1 ] + . . . + Pr [ EQ ] ≤ Pr[ Ê1] + . . . + Pr[ ÊQ] +
Q
p
≤ Q · (uncertA(k) +
1
p
).
Combining this with (8) and using Lemma 3.2 proves the lemma.
It leaves to prove Equation (9). Fix a security parameter k and j ∈ {1, . . . , Q(k)}. Let C = (c, π)
be the ciphertext of the j-th decryption query in Game 4.
Let t := TCR(c), r := logg c, and β := logg π. Write furthermore ω = logg h, and x = logg u =
x1 + ωx2, y = logg v = y1 − t∗ωx2 as before. Then (c, π) is consistent iff π = (utv)r, or,
alternatively, iff β = r · (tx + y). Furthermore, if (c, π) is consistent, then Ej and Êj cannot be
fulfilled by definition. However, we claim that under the condition that (c, π) is inconsistent,
the “virtual key” K used to determine whether pred(K) = 1 or not (according to the rules of
6
There is some “fuzziness” here; depending on the used complexity model, Game 4 might have a complexity
which is only roughly that of the IND-CCCA game. Formally, a concrete security analysis requires in that case
that adversaries be also “valid when run in slightly more complex environments than the IND-CCCA game.” We
stress that such an extension to our theory is possible, in fact straightforward, and in particular yields the results
one would expect. However, such an extension also requires a more complex set of definitions. In the interest of
a clear presentation, we stick to the usual but formally non-rigorous convention that slight changes to a security
game do not add to its complexity.
15

Game 5) is, just as the key K of event Êj, uniformly distributed and independent of the choice
of the predicate pred. So assume β = r · (tx + y). For the key K from Game 5, it holds that
logg K = logg
π
ctx1+y1
1
x2(t−t∗)
=
1
x2(t − t∗)
(β − r · (tx1 + y1))
=
1
x2(t − t∗)
(β − r · (tx + y) − rωx2 · (t − t∗
)) =
1
x2(t − t∗)
(β − r · (tx + y))
=0
−rω
Define the mapping F through
F(X) := (X + rω) ·
t − t∗
β − r · (tx + y)
mod p.
By the assumptions β − r · (tx + y) = 0 and t − t∗ = 0, this mapping is well-defined and bijective
and only depends on information known (in an information-theoretic sense) to the adversary.
Hence, to show that, from A’s perspective, K is (almost) uniformly distributed, it suffices to
show that F(logg K) = 1/x2 mod p is (almost) uniformly distributed given a public key. But
a public key determines only x = x1 + ωx2 and y = y1 − t∗ωx2. Hence, x2 (and consequently
1/x2) is still uniformly and independently from A’s view distributed over {1, . . . , p − 1}. This
implies | Pr[ Êj] − Pr[Ej]| ≤ 1/p which is Equation (9).
4.3 Comparison with Cramer-Shoup and Kurosawa-Desmedt
The following table summarizes the key-encapsulation part of the (only IND-CPA secure) ElGa-
mal scheme [16], the Cramer-Shoup encryption scheme [14], the Kurosawa-Desmedt scheme [24],
and ours.
Scheme Ciphertext Encapsulated Key
ElGamal gr hr
Cramer-Shoup gr, ˆgr, (utv)r hr
Kurosawa-Desmedt gr, ˆgr (utv)r
Dual Kuroasawa-Desmedt (ours) gr, (utv)r hr
Here ˆg is another element from the public-key. Compared to the Cramer-Shoup scheme, the
Kurosawa-Desmedt scheme leaves out the value hr and defines (utv)r out the encapsulated key.
Our results shows that it is also possible to leave out the element ˆgr from the ciphertext and
that π = (utv)r is sufficient to authenticate c = gr. Hence, our scheme can be viewed as the dual
of (the KEM part of) the Kurosawa-Desmedt scheme. From another point of view, compared
to the IND-CPA secure ElGamal scheme our scheme adds one group element π = (utv)r to the
KEM ciphertext which is sufficient to prove it IND-CCCA secure under the DDH assumption.
From a technical point of view, our scheme mixes Cramer-Shoup like techniques [13] to obtain
a form of “plaintext awareness” for inconsistent ciphertexts with an “algebraic trick” from the
Boneh-Boyen identity-based encryption scheme [8] to decrypt consistent ciphertexts. Compared
to Cramer-Shoup based proofs [12, 14, 24, 2] the most important technical difference, caused
by the mentioned ability to decrypt consistent ciphertexts without knowing the full secret key,
is that during our simulation the challenge ciphertexts is never made inconsistent. Intuitively
this is the reason why we manage to maintain a consistent simulation using less redundancy in
the secret key. This demonstrates that IND-CCCA security can be obtained with constructions
that inherently differ from hash proof systems.
16

On the other hand, the security proofs of all schemes based on IBE-techniques [11, 10, 22,
23, 21] inherently relies on some sort of external consistency check for the ciphertexts. This
can be seen as the main reason why security of the IBE-based PKE schemes could only be
proved in pairing groups (or relative to a gap-assumption), where the pairing was neccessary for
helping the proof identifying inconsistent ciphertexts. In our setting, the consistency check is
done implicitly, using information-theoretic arguments borrowed from hash proof systems.
4.4 Explicit vs. implicit rejection
The scheme is given in its explicit-rejction variant, i.e. all inconsistent ciphertexts get imme-
diately rejected by the decapsulation algorithm. Following [14] we can also give an implicit-
rejection variant of the scheme, where inconsistent ciphertexts yield one uniform key and hence
will be rejected by the authenticity property of the DEM. Details are given in Appendix A. The
specific structure of the implicit-rejection KEM makes it possible to share the public elements g
and h among many parties since decryption does not depend on the knowledge of ω = logg(h)
anymore. Hence, similar to the Cramer-Shoup scheme, this implicit-rejection scheme can be used
in the setting of multi-recipient encryption [3], where one single message is being simultaneously
sent to a set of n different recipients.
4.5 A hash-free variant
Similar to [14] we can also give a hash-free variant of our scheme that abandons the hash
function TCR : G → Zp. This variant is useful when neither a bijective encoding nor a target-
colission resistant hash function TCR is available. In terms of computational efficiency and size
of public/secret keys the hash-free variant is slightly less efficient but security can be proved
relying solely on the DDH assumption. Details are given in Appendix B.
4.6 Efficiency
We compare our new DDH-based scheme’s efficiency with the one of Kurosawa and Desmedt
(in its more efficient “explicit-rejection” variant from [29]). Most importantly, the number of
exponentiations for encryption and decryption are equal in both schemes. Although our security
result is much more general (our KEM can be combined with any authenticated encryption
scheme) this is not an exclusive advantage of our scheme. In fact we can derive the same
result for the KD scheme from a more general theorem that we will prove in Section 6. (A
similar result about combining the Kurosawa-Desmedt scheme with authenticated encryption
was already obtained in [4] in the context of statefull encryption.)
However, there is one crucial difference in case one needs a scheme that is provably secure
solely on the DDH assumption. Note that security (of the KD scheme and ours) relies on
the DDH assumption and the assumption that TCR is target collision resistant. So as long
as one does not want to sacrifice provable security by implementing the TCR function with a
dedicated hash function like SHA-x or MD5 (what potentially renders the whole scheme insecure
given the recent progress in attacking certain hash functions [38, 39]), one must either resort
to inefficient generic constructions of TCR functions [25, 33], or one can use the “hash-free
technique” described in [14]. With this latter technique, one can get rid of the TCR function
completely; however, this comes at the cost of additional elements in the public and the secret
key, and additional exponentiations during encryption. This overhead is linear in the number of
elements that would have been hashed with the TCR. In the Kurosawa-Desmedt scheme, TCR
17

acts on two group elements whereas in our scheme only on one. Hence the hash-free variant of
our scheme is more efficient.
More importantly, since in our scheme a TCR is employed which maps one group element
to integers modulo the group-order this can also be a bijection. In many concrete groups,
e.g., when using the subgroup of quadratic residues modulo a safe prime or certain elliptic
curves, this bijection can be trivially implemented at zero cost [14, 10], without any additional
computational assumption, and without sacrificing provable security. See Appendix C for more
details. In terms of efficiency we view this as the main benefit of our scheme.
5 Key Encapsulation from n-Linear
5.1 Linear Assumptions
Let n = n(k) be a polynomial in k. Generalizing [9, 21] we introduce the class of n-Linear
assumptions which can be seen as a natural generalization of the DDH assumption and the
Linear assumption.
Let GS be a group scheme. We define the n-lin-advantage of an adversary Bn-lin as
Advn-lin
GS,Bn-lin
(k) =
1
2
Pr[Bn-lin(g1, . . . , gn, gr1
1 , . . . , grn
n , h, hr1+...+rn
) = 1]
− Pr[Bn-lin(g1, . . . , gn, gr1
1 , . . . , grn
n , h, K) = 1] ,
where g1, . . . , gn, h, K
$
← G and all ri ← Z∗
p. We say that the n-Linear Decisional Diffie-Hellman
(n-Linear) assumption relative to group scheme GS holds if Advn-lin
GS,Bn-lin
is a negligible function
in k for all polynomial-time adversaries Bn-lin.
The n-Linear assumptions form a strict hierarchy of security assumptions with 1-Linear
= DDH, 2-Linear=Linear [9] and, the larger the n, the weaker the n-Linear assumption. More
precisely, for any n ≥ 1 we have that n-Linear implies n+1-Linear. On the other hand (extending
the case of n = 1 [9]) we can show that in the generic group model [35], the n+1-Linear
assumption holds, even relative to an n-Linear oracle.
Lemma 5.1 DDH = 1-Linear
⇐
⇒ 2-Linear
⇐
⇒ 3-Linear
⇐
⇒ . . .
5.2 The key-encapsulation mechanism
Let GS be a group scheme where GRk specifies (ˆG, G, g, p) and let TCR : Gn+1 → Zp be a target
collision resistant hash function. Generalizing the Kurosawa-Desmedt KEM, for a parameter
n = n(k) ≥ 1, we build KEM = (KEM.Kg, KEM.Enc, KEM.Dec) as follows.
Key generation KEM.Kg(1k) generates random group elements g1, . . . , gn, h ∈ G. Further-
more, it defines uj = g
xj
j hz and vj = g
yj
j hz for random z, z ∈ Zp and xj, yj ∈ Zp (j ∈ {1, . . . , n}).
The public key contains the elements h, (gj, uj)1≤i≤n, and the secret key contains all correspond-
ing indices.
KEM.Enc(pk)
∀j ∈ {1, . . . , n}: rj
$
← Z∗
p ; cj ← g
rj
j
d ← hr1+...+rn ; t ← TCR(c1, . . . , cn, d)
C ← (c1, . . . , cn, d) ; K = n
i=1(ut
ivi)ri
Return (C, K)
KEM.Dec(sk, C)
∀j ∈ {1, . . . , n}: check if cj ∈ G
Check if d ∈ G
t ← TCR(c1, . . . , cn, d)
Return K ← dzt+z · n
j=1 c
xjt+yj
j
18

Ciphertexts contain n + 1 group elements, public/secret keys 2n + 1 elements. The scheme
instantiated with n = 1 precisely reproduces the KEM part of the Kurosawa-Desmedt encryption
scheme [24]. We remark that the scheme is presented in its implicit-rejection variant. It is also
possible to give a variant that explicitly rejects inconsistent ciphertexts.
Security of the schemes can be explained using the more general framework of computational
hash-proof systems. This will be done in Section 6.
Theorem 5.2 Let GS be a group scheme where the n-Linear problem is hard, assume TCR is
target collision resistant. Then KEM is secure in the sense of IND-CCCA.
5.3 The Dual Key Encapsulation Mechanism
Let GS be a group scheme where GRk specifies (ˆG, G, g, p) and let TCR : Gn → Zp be a
target collision resistant hash function. Generalizing our scheme from Section 4 for a parameter
n = n(k) ≥ 1, we build KEM = (KEM.Kg, KEM.Enc, KEM.Dec) as follows.
Key generation KEM.Kg(1k) generates random group elements g1, . . . , gn, h ∈ G and indices
ωj such that h = g
ωj
j . Furthermore it defines uj = g
xj
j and vj = g
yj
j for random xj, yj ∈ Zp
(j ∈ {1, . . . , n}). The public key contains the elements h, (gj, uj, vj)1≤i≤n, and the secret key
contains all corresponding indices.
KEM.Enc(pk)
∀j ∈ {1, . . . , n}: rj
$
← Z∗
p ; cj ← g
rj
j
t ← TCR(c1, . . . , cn)
π ← n
j=1(ut
jvj)rj
C ← (c1, . . . , cn, π) ; K ← hr1+...+rn
Return (C, K)
KEM.Dec(sk, C)
∀j ∈ {1, . . . , n}: check if cj ∈ G
t ← TCR(c1, . . . , cn)
If n
j=1 c
xjt+yj
j = π return ⊥
Return K ← n
j=1 c
ωj
j
Correctness of the scheme can be verified analogously to Section 4. Ciphertexts contain n + 1
group elements, public/secret keys 3n+1 elements. The scheme instantiated with n = 1 precisely
reproduces our DDH-based dual KD-KEM from Section 4.
Theorem 5.3 Let GS be a group scheme where the n-Linear problem is hard, assume TCR is
target collision resistant. Then KEM is secure in the sense of IND-CCCA. In particular,
Advccca
KEM ,t,Q,uncert(k),E(k) ≤ Advn-lin
GS,t (k) + Advtcr
TCR ,t(k) + uncert(k) +
Qn
p
.
for a suitable environment E that roughly has the same complexity as the IND-CCCA experi-
ment.
The proof of Theorem 5.3 is similar to the one of Theorem 4.1. We quickly sketch the sim-
ulation of the adversary’s view. Given the values (g1, . . . , gn, c∗
1 = gr1
1 , . . . , c∗
n = grn
n , h, T)
from the n-Linear problem (where T = hr1+...+rn or random) the simulator picks random
˜x1, . . . , ˜xn, ˜y1, . . . , ˜yn, z ∈ Z∗
p and defines the values (ui)1≤i≤n and (vi)1≤i≤n as
ui = g ˜xi
i · hz
, vi = g ˜yi
i · h−t∗z
,
where t∗ = TCR(c∗
1, . . . , c∗
n). Note that (in an information theoretic sense) through the public-key
the adversary knows exactly 2n linear equations in the 2n + 1 variables ˜x1, . . . , ˜xn, ˜yi, . . . , ˜yn, z.
The challenge ciphertext is defined as C∗ = (c∗
1, . . . , c∗
n, n
i=1 c∗
i
˜xit∗+ ˜yi
) and the encapsulated key
19

as T which is either the real key hr1+...+rn or a random key. For a CCCA decapsulation query
(C, pred) the virtual key K is computed as
K =
π
n
i=1 c ˜xit+ ˜yi
1
1
z(t−t∗)
and K is only returned to the adversary if pred(K) = 1. As in the proof of Theorem 4.1 it can
be verified that (i) if C is consistent then K is the correct key; (ii) if C is inconsistent then (from
the adversary’s view) K is a uniform random element in G and hence, with high probability,
the query will be rejected by the predicate test.
6 Key encapsulation from Hash Proof Systems
In [13] Cramer and Shoup showed that their original scheme in [14] was a special instance of a
generic framework based on hash proof systems (HPS). In this section we further elaborate on
the usefulness of Constrained chosen-ciphertext secure KEMs by showing that they can be built
from any hash-proof system.
Following [24] we recall the basic ideas and show how to build IND-CCCA secure key encap-
sulation based on a computational variant of hash proof systems. Here we use a slightly different
notation that reflects our primary use of hash-proof systems as key-encapsulation mechanisms.
6.1 Hash proof systems
Let C, K be sets and V ⊂ C a language. Let Dsk : C → K be a hash function indexed with
sk ∈ S, where S is a set. A hash function Dsk is projective if there exists a projection µ : S → P
such that µ(sk) ∈ P defines the action of Dsk over the subset V. That is, for every C ∈ V, the
value K = Dsk (C) is uniquely determined by µ(sk) and C. In contrast, nothing is guaranteed
for C ∈ C V, and it may not be possible to compute Dsk (C) from µ(sk) and C. A strongly
universal2 projective hash function has the additional property that for C ∈ C V, the projection
key µ(sk) actually says nothing about the value of K = Dsk (C), even given an instance (C∗, K∗)
such that C∗ ∈ C V and K∗ = Dsk (C). More precisely, for all pk ∈ P, C, all C∗ ∈ C V with
C = C∗, all K, K∗ ∈ K,
Pr
sk∈S
Dsk (C∗)=K∗
µ(sk)=pk
[Dsk (C) = K] = 1/|K|. (10)
A hash proof system HPS = (HPS.param, HPS.pub, HPS.priv) consists of three algorithms.
The randomized algorithm HPS.param(1k) generates instances of params = (group, C, V, P, S, D(·) :
C → K, µ : S → P), where group may contain some additional structural parameters. The de-
terministic public evaluation algorithm HPS.pub inputs the projection key pk = µ(sk), C ∈ V
and a witness w of the fact that C ∈ V and returns K = Dsk (C). The deterministic private
evaluation algorithm inputs sk ∈ S and returns Dsk (C), without knowing a witness. We further
assume there are efficient algorithms given for sampling sk ∈ S and sampling C ∈ V uniformly
together with a witness w.
As computational problem we require that the subset membership problem is hard in HPS
which means that the two elements C and C are computationally indistinguishable, for random
C ∈ V and random C ∈ CV. This is captured by defining the advantage function Advsm
HPS,A(k)
20

of an adversary A as
Advsm
HPS,A(k) := Pr[C1
$
← C ; b
$
← A(C, V, C1) : b = 1 ]
− Pr[C0
$
← C V ; b
$
← A(C, V, C0) : b = 1 ] .
6.2 Key encapsulation from HPS
Using the above notion of a hash proof system, Kurosawa and Desmedt [24] proposed a hybrid
encryption scheme which improved the schemes from [13]. The key-encapsulation part of it is
as follows. The system parameters of the scheme consist of params
$
← HPS.param(1k).
KEM.Kg(k). Choose random sk
$
← S and define pk = µ(sk) ∈ P. Return (pk, sk).
KEM.Enc(pk). Pick C
$
← V together with its witness ω that C ∈ V. The session key K =
Dsk (C) ∈ K is computed as K
$
← HPS.pub(pk, C, ω). Return (K, C).
KEM.Dec(sk, C). Reconstruct the key K = Dsk (C) as K ← HPS.priv(sk, C) and return K.
We can prove the following theorem that is a slight generalization of [24].
Theorem 6.1 If HPS is strongly universal2 and the subset membership problem is hard in HPS
then KEM is secure in the sense of IND-CCCA.
Unfortunately, the original KEM part of the Kurosawa Desmedt DDH-based hybrid encryption
scheme [24] cannot be explained using this framework and hence needed a separate proof of
security. This is since the underlying DDH-based hash proof system involves a target collision
resistant hash function TCR which is a “computational primitive” whereas the strongly universal2
property from Equation (10) is a statistical property which is in particular not fulfilled by the
DDH-based HPS from [13] used in [24]. In fact, the most efficient HPS-based schemes that are
known involve computation of a TCR function and hence all need a separate proof of security.
We note that this problem is inherited from the original HPS approach [14].
We overcome this problem we defining the weaker notion of computational hash proof systems.
6.3 Computational hash proof systems
We now define a weaker computational variant of strongly universal2 hashing. To an adversary
B we associate the following experiment Expcu2
HPS,B
.
Experiment Expcu2
HPS,B
(k)
params
$
← HPS.param(1k) ; sk
$
← S ; pk ← µ(sk)
C∗ $
← C V ; K∗ ← Dsk (C∗) ; (C, St)
$
← B
EvalD(·)
1 (pk, C∗, K∗)
b
$
← {0, 1} ; K0
$
← K ; K1 ← Dsk (C)
b
$
← B2(St, Kb)
where the evaluation oracle EvalD(C) returns K = Dsk (C) if C ∈ V and ⊥, otherwise. We also
restrict to adversaries that only return ciphertexts C = C∗ and that ensure C ∈ C V. This
21

is without losing generality, since B1 can check C ∈ V with its oracle EvalD. We define the
advantage of B in the experiment as
Advcu2
HPS,B
(k) = Pr[Expcu2
HPS,B
(k) = 1] −
1
2
.
A hash proof system HPS is said to be computationally universal2 (CU2) if for all polynomial-
time adversaries B that satisfy these requirements, the advantage function Advcu2
HPS,B
(k) is a
negligible function in k.
The following theorem strengthens Theorem 6.1.
Theorem 6.2 If HPS is computationally universal2 and the subset membership problem is
hard then KEM from Section 6.2 is IND-CCCA secure. In particular,
Advccca
KEM ,t,Q,uncert(k)(k) ≤ Advsm
HPS,t(k) + Q · uncert(k) + (2Q + 1) · Advcu2
HPS,t
(k)).
Proof: Let A be an adversary on the IND-CCCA security of the KEM. We will consider a
sequence of games, Game 1, Game 2, . . . , each game involving A. Let Xi be the event that in
Game i, it holds that b = b , i.e., that the adversary succeeds.
Game 1. The KEM IND-CCCA game with random b ∈ {0, 1}, i.e., we have
| Pr[X1] − 1/2| = Advccca
KEM ,A(k) .
As this point we can assume that the real key K∗
1 is computed as K∗
1 = Dsk (C∗) for a
uniformly chosen C∗ $
← V whereas the random key K∗
0 is computed as K∗
0
$
← K.
Game 2. Replace the challenge ciphertext with C∗ $
← C V and still create the real challenge
key as K∗
1 = Dsk (C∗).
| Pr[X2] − Pr[X1]| ≤ Advsm
HPS,A(k)
Game 3. Let (predj, Cj) be the jth decapsulation query made by A. Decapsulation now
checks if C ∈ V. (Note that this check needs not be efficiently implementable.) If yes it
returns K = Dsk (C). If not, it rejects.
Let Ej be the event that Cj ∈ C V but predj(Kj) = 1, and define
−→
E j = E1 ∨ . . . ∨ Ej,
and E =
−→
E Q. Since unless E happens, the Games 2 and 3 proceed indentically, we have
| Pr[X3] − Pr[X2]| ≤ Pr[E].
We now upper bound Pr[E]. Let Êj be the event that Cj ∈ C V but predj(K ) = 1 for
an independently uniformly chosen key K ∈ K.
To do so, we define the following adversary B = (B1, B2) against CU2 of HPS. Adversary
B1 inputs (pk, C∗
1 , K∗
1 ) and first uniformly chooses j∗ ∈ {1, . . . , Q}. It then provides A
with (pk, C∗
1 , K∗
1 ). For 1 ≤ i ≤ j∗ − 1, adversary A’s ith decapsulation query (predi, Ci)
is processed as follows. First B1 calls EvalD(Ci) to obtain Ki or ⊥. If the answer
was ⊥ (which means that Ci ∈ V) it returns ⊥ to A. Otherwise (Ci ∈ V) B1 defines
Ki ← EvalD(Ci) = KEM.Dec(sk, Ci) and returns Ki if predi(Ki) = 1 and ⊥, otherwise.
Adversary A’s j∗-th decapsulation query (predj∗ , Cj∗ ) is processed as follows. If EvalD(Cj∗ )
yields ⊥ (meaning Cj∗ ∈ V) then B1 terminates and lets B2 return b = 0. Otherwise, B1
22

returns Cj∗ to its own CU2 experiment. Finally, B2 inputs a challenge key Kb and returns
b = predj∗ (Kb) to its experiment and terminates.
We now analyze B’s success probability. In analogy to the events Êj, define events Fj and
ˆFj. Here, Fj denotes the probability that in the setting which B simulates for A (i.e., in a
setting in which all A gets all queries C ∈ C V rejected), the j-th query Cj is ∈ C V but
predj(Kj) = 1. Analogously, ˆFj denotes the event that in this setting, Cj is ∈ C V but
predj(Kj) = 1 for a uniformly and independently chosen key Kj. Define
−→
F j = F1 ∨. . .∨Fj
and
−→
ˆF j = ˆF1 ∨ . . . ∨ ˆFj as above.
Now we inductively show that for all j, we have Pr[
−→
F j] = Pr[
−→
E j] and Pr[
−→
F j] = Pr[
−→
E j].
For j = 1, this is clear from the definition. For j > 1, we have inductively
Pr[
−→
F j] = Pr[
−→
F j ∧
−→
F j−1] + Pr[
−→
F j ∧ ¬
−→
F j−1] = Pr[
−→
F j−1] + Pr[
−→
F j | ¬
−→
F j−1] · Pr[¬
−→
F j−1]
(∗)
= Pr[
−→
E j−1] + Pr[
−→
E j | ¬
−→
E j−1] · Pr[¬
−→
E j−1]
= Pr[
−→
E j−1] + Pr[
−→
E j | ¬
−→
E j−1] · Pr[¬
−→
E j−1] = Pr[
−→
E j].
In (∗), we use not only the induction hypothesis, but also the fact that Pr[
−→
F j | ¬
−→
F j−1] =
Pr[
−→
E j | ¬
−→
E j−1] for every j by definition of Ej and Fj. Similarly, we can show Pr[
−→
ˆF j] =
Pr[
−→
Ê j] for arbitrary j ∈ {1, . . . , Q}.
We split Advcu2
HPS,t
(k) into
Advcu2
HPS,t
(k) =
1
2
· Pr[b = 1 | b = 1] +
1
2
· Pr[b = 0 | b = 0] −
1
2
=
1
2
· Pr[b = 1 | b = 1] − Pr[b = 1 | b = 0]
and consider the two summands seperately. Now note that by definition of B, we have
Pr[b = 1 | b = 1] =
1
Q
Q
j=1
Pr[Fj] ≥
1
Q
Pr[F]
=
1
Q
Q
j=1
Pr[Fj |
−→
F j−1] =
1
Q
Q
j=1
Pr[Ej |
−→
E j−1] =
1
Q
Pr[E],
whereas
Pr[b = 1 | b = 0] =
1
Q
Q
j=1
Pr[ ˆFj] = uncertA(k),
since Game 2 has the same complexity as the original IND-CCCA game.7 Summarizing,
we obtain
| Pr[X3] − Pr[X2]| ≤ Pr[E] ≤ Q · 2Advcu2
HPS,t
(k) + uncertA(k) ,
7
cf. footnote 6
23

Game 4. The real challenge key K∗
1 is replaced by the random key K∗
0 ∈ K. We have
| Pr[X4] − Pr[X3]| ≤ Advcu2
HPS,t
(k)
Finally, since in Game 4 the distribution of the challenge key K∗
0 is independent of b we
have
Pr[X4] = 1/2 .
6.4 A computational HPS from n-Linear
Let GS be a group scheme where GRk specifies (ˆG, G, g, p). Let group = (GR, g1, . . . , gn, h),
where g1, . . . , gn, h are independent generators of G. Define C = Gn+1 and V = {(gr1
1 , . . . , grn
n ,
hr1+...+rn ) ⊂ Gn+1 : r1, . . . , rn ∈ Zp} The values (r1, . . . , rn) ∈ Zn
p are a witness of C ∈ V.
Let TCR : Gn+1 → Zp be a target collision resistant hash function. Let S = Z2n+2
p , P = G2n,
and K = G. For sk = (x1, y1, . . . , xn, yn, z, z ) ∈ Z2n+2, define µ(sk) = (u1, . . . , un, v1, . . . , vn),
where, for 1 ≤ i ≤ n, ui = gxi
i hz and vi = gyi
i hz . This defines the output of HPS.param(1k). For
C = (c1, . . . , cn, d) ∈ C define
Dsk (C) := dzt+z
·
n
i=1
cxit+yi
i , where t = TCR(c1, . . . , cn) . (11)
This defines HPS.priv(sk, C). Given pk = µ(sk), C ∈ V and a witness w = (r1, . . . , rn) ∈ (Zp)n
such that C = (c1, . . . , cn, d) = (gr1
1 , . . . , grn
n , hr1+...+rn ) public evaluation HPS.pub(pk, C, w)
computes K = Dsk (C) as
K =
n
i=1
(ut
ivi)ri
.
Correctness follows by Equation (11) and the definition of µ. This completes the description of
HPS. Clearly, under the n-Linear assumption, the subset membership problem is hard in HPS.
Obviously, the above defined HPS is not strongly universal2 in the sense of Equation (10).
But it is still computationally universal2.
Lemma 6.3 The n-Linear based HPS is computationally universal2.
Together with Theorem 6.2 this proves Theorem 5.2. For the case n = 1 this also gives an
alternative security proof for the Kurosawa-Desmedt scheme [24].
Proof: Consider an adversary B in the CU2 experiment such that B1 outputs a ciphertext
C ∈ C V and let K ← Dsk (C). Let col be the event that C = C∗ but TCR(C) = TCR(C∗).
We claim that for the following adversary Btcr we have Advtcr
TCR,Btcr
(k) = Pr[col]. Adversary
Btcr inputs (s, C∗) and generates a random instance of params with known indices αi such that
h = gαi . Furthermore, Btcr picks a random sk ∈ S and runs B1 on pk = µ(sk), a random
C∗ ∈ C V, and K∗ = Dsk (C∗). To answer a query to the evaluation oracle EvalD(·), Btcr fist
verifies C = (c1, . . . , cn, d) ∈ V by checking if cαi
i = d. If not, return ⊥. Otherwise it returns
K = Dsk (C). If for a decapsulation query C event col happens, Btcr returns C to its TCR
experiment and terminates.
Now we claim that conditioned under ¬col, the key K = Dsk (C) is a uniform element in K
independent of the adversary’s view. This implies that not even a computationally unbounded
24

B2 could succeed in the second stage. Hence, Advcu2
HPS,B
(k) ≤ Advtcr
TCR,Btcr
(k), which proves the
lemma.
Let log(·) = logg(·). Consider the view of B2 consisting of the random variables (pk, C∗, K∗, C),
where sk = (x1, y1, . . . , xn, yn, z, z )
$
← Z2n+2, pk = µ(sk) = (u1, . . . , un, v1, . . . , vn), C∗ =
(c∗
1, . . . , c∗
n, d∗) = (g
r∗
1
1 , . . . , g
r∗
n
n , hr∗
) with r∗
i = r∗ since C∗ ∈ C V, K∗ = Dsk (C∗), and
C = (c1, . . . , cn, d) = (gr1
1 , . . . , grn
n , hr) ( ri = r since C ∈ C V). From the system parameters
g1, . . . , gn, h, adversary B2 learns ω = log h, ωi = log gi, and from pk
for 1 ≤ i ≤ n : log ui = ωixi + ωz, log vi = ωiyi + ωz . (12)
From C∗ the adversary learns r∗
i = loggi
c∗
i , r∗ = logh d∗, and from K∗ (by Equation (11)) the
value
log K∗
= ωir∗
i (xit∗
+ yi) + ω(zt∗
+ z ) , (13)
and t∗ = TCR(c∗
1, . . . , c∗
n, d∗). Furthermore, from C, B2 learns ri = loggi
ci and r = logh d. Let
K = Dsk (C). Our claim is that
log K = ωiri(xit + yi) + ω(zt + z ) , (14)
with t = TCR(C) = t∗, is a uniform and independent element in Zp. Consider the set of linear
equations over the hidden values x1, . . . , xn, y1, . . . , yn, z, z defined by Equations (12), (13), and
(14), defined by the matrix M ∈ Zn+2×n+2
p ,
M =
x1 . . . xn y1 . . . yn z z0
B
B
B
B
B
B
B
B
B
B
B
B
B
@
ω1 ω
... 0
... 0
ωn ω
ω1 ω
0
... 0
...
ωn ω
ω1r∗
1 t∗
· · · ωnr∗
nt∗
ω1r∗
1 . . . ωnr∗
n ωt∗
r∗
ωr∗
ω1r1t · · · ωnrnt ω1r1 . . . ωnrn ωtr ωr
1
C
C
C
C
C
C
C
C
C
C
C
C
C
A
Since det(M) = ω2 ωi(t − t∗)( n
i=1 ri − r)( n
i=1 r∗
i − r∗) = 0, Equation (14) is linearly inde-
pendent of (12) and (13).
6.5 A computational HPS based on Paillier
For a reader familiar with this concept we briefly sketch a computational hash-proof system
based on Paillier’s Decision Composite Residuosity (DCR) assumption [13]. For more details
we refer the reader to [27, 13]. Let p1, q1, p2, q2 be primes where p1 = 2p2 + 1 and q1 = 2q2 + 1.
Define N1 = p1q1 and N2 = p2q2. Consider
Z∗
N2
1
= GN1 × GN2 × G2 × T .
The subgroup G ⊆ Z∗
N2
1
given by G = GN1 × GN2 is cyclic of order N1N2. Let g be a generator
of G. Then g1 = gN2 is a generator of GN1 and g2 = gN1 is a generator of GN2 . Each element
h ∈ ZN2
1
can be uniquely written as h = h1N1 + h2, where 0 ≤ h1, h2 < N1. We define
[h]2 = h2 = h mod N1.
25

Let N1, g2 be public parameters (that implicitly define the secret N2). Define C = G and
V = GN2 . Let TCR : C → Z N2
1 /2 be a target collision resistant hash function. For a C = gr
2 ∈
V ⊂ C, the element r ∈ W = {0, . . . , N2 − 1} is a witness (for C ∈ V). Since N2 is unknown,
public sampling from the set V is done by picking random r ∈ W = {0, . . . , N1/4 } ≈ W and
computing C = gr
2. Let K = {0, . . . , N2
1 /2 } ≈ {0, . . . , N1N2 − 1}. The set S is defined as
S = {(x, y) : x, y ∈ K} and the projection µ : S → P as µ(sk) = (u = gx
2 , v = gy
2) ∈ P =
G2
N2
. The hash function Dsk : C → K = ZN1 is defined as Dsk (C) = [Cxt+y mod N2
1 ]2, where
t = TCR(C). Given witness r ∈ W such that C = gr
2 ∈ V and (u, v) = µ(sk), public evaluation
HPS.pub computes K = Dsk (C) as K = [(utv)r mod N2
1 ]2. For correctness we refer to [13]. This
completes the description of the hash-proof system HPS.
As shown in [13], the subset membership problem is hard if the DCR assumption holds.
Using the techniques from [13] it is now easy to show that if TCR is target collision resistant,
then HPS is a computationally universal2.
Acknowledgements
We thank Ronald Cramer, Jorge Villar, Chen Yuan, and Moti Yung for their comments. We
thank Serge Vaudenay for pointing out the alternative definition of CCCA security.
References
[1] Masayuki ABE, Rosario Gennaro, and Kaoru Kurosawa. Tag-KEM/DEM: A new frame-
work for hybrid encryption. Cryptology ePrint Archive, Report 2005/027, 2005. http:
//eprint.iacr.org/. (Cited on page 3.)
[2] Masayuki Abe, Rosario Gennaro, Kaoru Kurosawa, and Victor Shoup. Tag-KEM/DEM:
A new framework for hybrid encryption and a new analysis of Kurosawa-Desmedt KEM.
In Ronald Cramer, editor, EUROCRYPT 2005, volume 3494 of LNCS, pages 128–146.
Springer-Verlag, Berlin, Germany, May 2005. (Cited on page 2, 3, 16.)
[3] M. Bellare, A. Boldyreva, K. Kurosawa, and Jessica Staddon. Multi-recipient encryption
schemes: How to save on bandwidth and computation without sacrificing security. IEEE
Transactions on Information Theory, ???(???), 2007. (Cited on page 17, 30.)
[4] Mihir Bellare, Tadayoshi Kohno, and Victor Shoup. Stateful public-key cryptosystems:
How to encrypt with one 160-bit exponentiation. In Ari Juels, Rebecca N. Wright, and
Sabrina De Capitani di Vimercati, editors, ACM CCS 06, pages 380–389. ACM Press,
October / November 2006. (Cited on page 17.)
[5] Mihir Bellare and Chanathip Namprempre. Authenticated encryption: Relations among
notions and analysis of the generic composition paradigm. In Tatsuaki Okamoto, editor,
ASIACRYPT 2000, volume 1976 of LNCS, pages 531–545. Springer-Verlag, Berlin, Ger-
many, December 2000. (Cited on page 11, 32, 33.)
[6] Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing
efficient protocols. In V. Ashby, editor, ACM CCS 93, pages 62–73. ACM Press, November
1993. (Cited on page 2.)
[7] D. J. Bernstein. Pippenger’s exponentiation algorithm. Available from http://cr.yp.to/
papers.html#pippenger, 2001. (Cited on page 12.)
26

[8] Dan Boneh and Xavier Boyen. Efficient selective-ID secure identity based encryption with-
out random oracles. In Christian Cachin and Jan Camenisch, editors, EUROCRYPT 2004,
volume 3027 of LNCS, pages 223–238. Springer-Verlag, Berlin, Germany, May 2004. (Cited
on page 13, 16.)
[9] Dan Boneh, Xavier Boyen, and Hovav Shacham. Short group signatures. In Matthew
Franklin, editor, CRYPTO 2004, volume 3152 of LNCS, pages 41–55. Springer-Verlag,
Berlin, Germany, August 2004. (Cited on page 3, 4, 18.)
[10] Xavier Boyen, Qixiang Mei, and Brent Waters. Direct chosen ciphertext security from
identity-based techniques. In Vijayalakshmi Atluri, Catherine Meadows, and Ari Juels,
editors, ACM CCS 05, pages 320–329. ACM Press, November 2005. (Cited on page 2, 17,
18, 30, 31, 32.)
[11] Ran Canetti, Shai Halevi, and Jonathan Katz. Chosen-ciphertext security from identity-
based encryption. In Christian Cachin and Jan Camenisch, editors, EUROCRYPT 2004,
volume 3027 of LNCS, pages 207–222. Springer-Verlag, Berlin, Germany, May 2004. (Cited
on page 2, 17.)
[12] Ronald Cramer and Victor Shoup. A practical public key cryptosystem provably secure
against adaptive chosen ciphertext attack. In Hugo Krawczyk, editor, CRYPTO’98, volume
1462 of LNCS, pages 13–25. Springer-Verlag, Berlin, Germany, August 1998. (Cited on
page 1, 2, 16.)
[13] Ronald Cramer and Victor Shoup. Universal hash proofs and a paradigm for adaptive chosen
ciphertext secure public-key encryption. In Lars R. Knudsen, editor, EUROCRYPT 2002,
volume 2332 of LNCS, pages 45–64. Springer-Verlag, Berlin, Germany, April / May 2002.
(Cited on page 1, 2, 3, 16, 20, 21, 25, 26.)
[14] Ronald Cramer and Victor Shoup. Design and analysis of practical public-key encryption
schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing,
33(1):167–226, 2003. (Cited on page 1, 2, 4, 5, 6, 8, 9, 11, 16, 17, 18, 20, 21, 30, 32, 33.)
[15] Danny Dolev, Cynthia Dwork, and Moni Naor. Nonmalleable cryptography. SIAM Journal
on Computing, 30(2):391–437, 2000. (Cited on page 1, 4.)
[16] Taher ElGamal. A public key cryptosystem and a signature scheme based on discrete
logarithms. In G. R. Blakley and David Chaum, editors, CRYPTO’84, volume 196 of
LNCS, pages 10–18. Springer-Verlag, Berlin, Germany, August 1985. (Cited on page 16.)
[17] Rosario Gennaro and Victor Shoup. A note on an encryption scheme of Kurosawa and
Desmedt. Cryptology ePrint Archive, Report 2004/194, 2004. http://eprint.iacr.org/.
(Cited on page 2.)
[18] D. Hofheinz, J. Herranz, and E. Kiltz. The Kurosawa-Desmedt key encapsulation is not
chosen-ciphertext secure. Cryptology ePrint Archive, Report 2006/207, 2006. http://
eprint.iacr.org/. (Cited on page 2.)
[19] Antoine Joux and Kim Nguyen. Separating decision Diffie-Hellman from computational
Diffie-Hellman in cryptographic groups. Journal of Cryptology, 16(4):239–247, September
2003. (Cited on page 2, 3.)
27

[20] Jonathan Katz and Moti Yung. Unforgeable encryption and chosen ciphertext secure modes
of operation. In Bruce Schneier, editor, FSE 2000, volume 1978 of LNCS, pages 284–299.
Springer-Verlag, Berlin, Germany, April 2000. (Cited on page 33.)
[21] E. Kiltz. Chosen-ciphertext secure key-encapsulation based on Gap Hashed Diffie-Hellman.
In Proceedings of PKC 2007, volume 4450 of LNCS, pages 282 – 297, 2007. http://eprint.
iacr.org/2007/036. (Cited on page 3, 4, 17, 18.)
[22] Eike Kiltz. Chosen-ciphertext security from tag-based encryption. In Shai Halevi and Tal
Rabin, editors, TCC 2006, volume 3876 of LNCS, pages 581–600. Springer-Verlag, Berlin,
Germany, March 2006. (Cited on page 2, 4, 17.)
[23] Eike Kiltz. On the limitations of the spread of an IBE-to-PKE transformation. In Moti
Yung, Yevgeniy Dodis, Aggelos Kiayias, and Tal Malkin, editors, PKC 2006, volume 3958
of LNCS, pages 274–289. Springer-Verlag, Berlin, Germany, April 2006. (Cited on page 2,
17.)
[24] Kaoru Kurosawa and Yvo Desmedt. A new paradigm of hybrid encryption scheme. In
Matthew Franklin, editor, CRYPTO 2004, volume 3152 of LNCS, pages 426–442. Springer-
Verlag, Berlin, Germany, August 2004. (Cited on page 2, 3, 11, 16, 19, 20, 21, 24.)
[25] Moni Naor and Moti Yung. Universal one-way hash functions and their cryptographic
applications. In 21st ACM STOC, pages 33–43. ACM Press, May 1989. (Cited on page 11,
17.)
[26] Digital signature standard, fips publication 186-3. National Institute of Standards and
Technology, NIST FIPS PUB 186-3, U.S. Department of Commerce, March 2006. (Cited
on page 30.)
[27] Pascal Paillier. Public-key cryptosystems based on composite degree residuosity classes. In
Jacques Stern, editor, EUROCRYPT’99, volume 1592 of LNCS, pages 223–238. Springer-
Verlag, Berlin, Germany, May 1999. (Cited on page 25.)
[28] Duong Hieu Phan and David Pointcheval. About the security of ciphers (semantic security
and pseudo-random permutations). In Helena Handschuh and Anwar Hasan, editors, SAC
2004, volume 3357 of LNCS, pages 182–197. Springer-Verlag, Berlin, Germany, August
[29] Le Trieu Phong and Wakaha Ogata. On a variation of Kurosawa-Desmedt encryption
scheme. Cryptology ePrint Archive, Report 2006/031, 2006. http://eprint.iacr.org/.
(Cited on page 3, 17.)
[30] Charles Rackoff and Daniel R. Simon. Non-interactive zero-knowledge proof of knowledge
and chosen ciphertext attack. In Joan Feigenbaum, editor, CRYPTO’91, volume 576 of
LNCS, pages 433–444. Springer-Verlag, Berlin, Germany, August 1992. (Cited on page 1,
4.)
[31] Phillip Rogaway, Mihir Bellare, John Black, and Ted Krovetz. OCB: A block-cipher mode
of operation for efficient authenticated encryption. In ACM CCS 01, pages 196–205. ACM
Press, November 2001. (Cited on page 2, 11.)
28

[32] Phillip Rogaway and Thomas Shrimpton. A provable-security treatment of the key-wrap
problem. In Serge Vaudenay, editor, EUROCRYPT 2006, volume 4004 of LNCS, pages
373–390. Springer-Verlag, Berlin, Germany, May / June 2006. (Cited on page 5.)
[33] John Rompel. One-way functions are necessary and sufficient for secure signatures. In 22nd
ACM STOC, pages 387–394. ACM Press, May 1990. (Cited on page 17.)
[34] Hovav Shacham. A cramer-shoup encryption scheme from the linear assumption and from
progressively weaker linear variants. Cryptology ePrint Archive, Report 2007/074, 2007.
http://eprint.iacr.org/. (Cited on page 4.)
[35] Victor Shoup. Lower bounds for discrete logarithms and related problems. In Walter Fumy,
editor, EUROCRYPT’97, volume 1233 of LNCS, pages 256–266. Springer-Verlag, Berlin,
Germany, May 1997. (Cited on page 3, 18.)
[36] Victor Shoup. Using hash functions as a hedge against chosen ciphertext attack. In Bart
Preneel, editor, EUROCRYPT 2000, volume 1807 of LNCS, pages 275–288. Springer-Verlag,
Berlin, Germany, May 2000. (Cited on page 1.)
[37] G. S. Vernam. Cipher printing telegraph systems for secret wire and radio telegraphic
communications. Journal of the American Institute of Electrical Engineers, 45:109–115,
[38] Xiaoyun Wang and Hongbo Yu. How to break MD5 and other hash functions. In Ronald
Cramer, editor, EUROCRYPT 2005, volume 3494 of LNCS, pages 19–35. Springer-Verlag,
Berlin, Germany, May 2005. (Cited on page 17.)
[39] Xiaoyun Wang, Hongbo Yu, and Yiqun Lisa Yin. Efficient collision search attacks on SHA-0.
In Victor Shoup, editor, CRYPTO 2005, volume 3621 of LNCS, pages 1–16. Springer-Verlag,
Berlin, Germany, August 2005. (Cited on page 17.)
[40] Mark N. Wegman and Larry Carter. New hash functions and their use in authentication
and set equality. Journal of Computer and System Sciences, 22:265–279, 1981. (Cited on
page 32.)
A An implicit-rejection variant of the dual KD scheme
We sketch a variant of our dual KD scheme from Section 4, where decapsulation is modified such
that inconsistent ciphertexts get only implicitly rejected. Both variants have the same security
properties as the dual KD scheme. We remark that it is also possible to give the same variant
for the schemes based on the class of n-Linear assumptions from Section 5.
Let GS be a group scheme where GRk specifies (ˆG, G, g, p). We furthermore assume that GRk
contains a second random generator h ∈ G. Let TCR : G → Zp be a target collision resistant
hash function (for simplicity we assume TCR to be non-keyed). We build a key encapsulation
mechanism KEM = (KEM.kg, KEM.Enc, KEM.Dec) with K = G as follows.
KEM.Kg(1k)
x1, x2, y2
$
← Z∗
p
u ← g−x1/y2 ; v ← g−y1/y2 h1/y2
pk ← (u, v) ∈ G2
sk ← (x1, x2, y2) ∈ (Zp)3
Return (sk, pk)
KEM.Enc(pk)
r
$
← Z∗
p ; c ← gr
t ← TCR(c) ; π ← (utv)r
C ← (c, π) ∈ G2
K ← hr ∈ G
Return (C, K)
KEM.Dec(sk, C)
if c ∈ G or π ∈ G return ⊥
t ← TCR(c)
Return K ← cx1t+y1 · πy2
29

Note that decryption has to ensure that both elements c, π are contained in G, whereas the
explicit rejction scheme only has to check if c is contained in G. Further, the two generators g, h
can be viewed as fixed over a multi-user PKI environment. That means that g, h can be put in
the general system parameters and only u, v have to be distinct for each user.
Correctness can be verified as follows. Without loss of generality, assume (utv) = 1.
Let ω = logg h. For an arbitrary ciphertext (c, π) we have c = gr1 and π = (utv)r2 =
(g(−x1/y2)t−y1/y2 h1/y2 )r2 = g
r2·
−(x1t+y1)+ω
y2 , where r1 = r2 iff the ciphertext was correctly gen-
erated. Decapsulation computes K as
K = cx1t+y1
· πy2
= gr1(x1t+y1)+r2(−(x1t+y1)+ω)
= hr2
· g(r1−r2)(x1t+y1)
.
In case the ciphertext is consistent this reconstructs the correct key. In case the ciphertext is
not consistent, decapsulation yields one uniform key K. However, in the IND-CCCA game it
will be hard for an adversary to provide sufficient information (in form of a predicate) about K.
Hence, informally speaking, inconsistent decapsulation queries are not useful.
A.1 Multi-user setting
The specific structure of the implicit-rejection KEM makes it possible to share the public el-
ements g and h among many parties since decryption does not depend on the knowledge of
ω = logg(h) anymore. Hence, similar to the Cramer-Shoup scheme, this implicit-rejection scheme
can be used in the setting of multi-recipient encryption [3], where one single message is being
simultaneously sent to a set of n different recipients.
Here the global system parameters consist of the two group elements g, h and the individual
public key of the ith recipient only consists of the two group elements (ui, vi). To encrypt a
message to n different recipient, the encapsulated symmetric key K = hr and the first element
of the ciphertext c = gr can be shared among all recipients. Hence the multi-receiver ciphertext
consists of c = gr, the symmetric part DEM.EncK(M) and the individual parts πi = (ut
ivi)r, for
i ∈ {1, . . . , n}. Compared to the naive solution (applying n-times the hybrid encryption scheme)
this saves n − 1 times the symmetric part (each contains m + k bits) plus n group elements.
B A hash-free variant of the dual KD scheme
Following [14] we give a hash-free variant KEM = (KEM.Kg, KEM.Enc, KEM.Dec) which can
be used in case the dual KD KEM has to be implemented in groups where there is no efficient
bijection TCR∗
: G → Zp known. The hash-free variant basically implements an injective
encoding CHOP : ˆG → Zp for a sufficiently large ≥ 1. In principle, such encodings always
exist, since we can, similar to [14, 10], always write down the p-adic representation of any
encoding of element c ∈ ˆG. E.g., in case ˆG = Zq and G ⊆ Zq has prime-order p, one would
have = logp(q ) = |q |/|p| . For all practical choices of p and q we have q ≤ p2 (for example,
all NIST recommended elliptic curves [26]) and hence ≤ 2. Hence, CHOP can be implemented
using “mod p” operations at negliglible cost (compared to one exponentiation).
30

KEM.Kg(1k)
ω
$
← Z∗
p ; h ← gω
∀i ∈ {1, . . . } : ui
$
← gxi
pk ← (u1, . . . , u , h) ∈ G +1
sk ← (x1, . . . , x , ω) ∈ (Zp) +1
Return (sk, pk)
KEM.Enc(pk)
r
$
← Z∗
p ; c ← gr
(t1, . . . , t ) ← CHOP(c)
π ← ( i=1 uti
i )r
C ← (c, π) ∈ G2
K ← hr ∈ G
Return (C, K)
KEM.Dec(sk, C)
if c ∈ G return ⊥
(t1, . . . , t ) ← CHOP(c)
if c
P
i=1 xiti = π return ⊥
Return K ← cω
Encryption takes +3 exponentiations, where the generation of π can again be viewed as a single
multi-exponentiation (as long as is a small constant). Decryption takes two exponentiations
which can be viewed as one sequential exponentiation. Public-key contains + 2 elements in G,
secret-key + 2 element in Zp. Again, for most practical group schemes, = 2.
Comparison with Kurosawa-Desmedt. A corresponding hash-free variant of the Kurosawa-
Desmedt scheme has key sizes |pk| = +2, |sk| = 2 , where = 2|q |/|p| (due to the fact that
CHOP has to map two group elements to Zp ). Encryption has +3 exponentiations, decryption
three. Assuming q ≤ p2 we get ≤ 4.
C Target collision resistant hashing
In the description of the schemes, the target collision resistent hash function TCR maps elements
from G to Zp. However, G is a subgroup of ˆG and hence elements from G are usually represented
as elements from ˆG. Hence, what we need is a TCR function TCR : ˆG → Zp that is target
collision-resistant on G ⊆ ˆG.
In this section we show that for many interesting group schemes GS we can implement such
hash functions very efficiently by exploiting the fact that the order of G equals p, i.e. by giving
a function TCR∗
: ˆG → Zp that is a bijection on G.
As already pointed out in [10] we note that it is sufficient for our application that TCR∗
is
injective on an overwhelming fraction of G. In case we can efficiently find out if a given element
is “non-bijective” we define TCR+
as follows.
TCR+
(c1) =
⊥ : if there exists c1 = c1 with TCR∗
(c1) = TCR∗
(c1)
TCR∗
(c1) : otherwise
Our PKE schemes have to be adapted to handle the case that TCR+
(c1) outputs ⊥. For encryp-
tion, if TCR+
(c1) = ⊥, then the encryption algorithm starts from scratch with a fresh (random)
value c1 = gr
1. For decryption, all ciphertexts containing an element c1 with TCR+
(c1) = ⊥
simply get rejected.
Elliptic curves. An elliptic curve is defined by an equation of the form
y2
= x3
+ ax + b .
If the coordinates x and y are chosen from a large finite field F , the solutions form a finite abelian
group ˆG = E(F ) with O, the distinguished point at infinity, playing the role of multiplicative
identity. According to Hasse’s theorem the number of points on a curve is close to the size of
the underlying field; more precisely, (
√
− 1)2 ≤ |E(F )| ≤ (
√
+ 1)2. We consider the case
where E(F ) already has prime order and set G = ˆG = (F ). Then the mapping
TCR+
(x, y) =
⊥ : x ≥
x : otherwise
31

is a bijection on an overwhelming fraction of G [10]. We also remark that since ˆG = G, the
subgroup membership test becomes trivial.
Group of Quadratic Residues Modulo Safe Prime. Let ˆG = Zq for a safe prime q with
q = 2p + 1, where p is a prime. Let G be a group of nonzero quadratic residues modulo q . The
order of G equals p. Consider the following function
TCR∗
(x) =
x : if x ≤ p
q − x : otherwise.
It is shown in [14, Example 2] that function TCR∗
is a bijection. We remark that subgroup
membership tests can be efficiently implemented by evaluating the Jacobi symbol.
D Construction of authenticated encryption schemes
We recall the encrypt-then-mac approach [5, 14] for constructing authenticated symmetric en-
cryption.
D.1 Building blocks
Key Derivation Functions. A key-derivation function KDF for group scheme GS is a family
of functions KDFk : G → {0, 1}2k. We assume its output on a random input is computationally
indistinguishable from a random 2k-bit string (pseudorandomness), captured by defining the
kdf-pr-advantage of an adversary Bkdf as
Advkdf-pr
KDF ,Bkdf
(k) =
1
2
| Pr[Bkdf(KDF(K)) = 1] − Pr[Bkdf(X) = 1]|,
where K
$
← G and X
$
← {0, 1}2k.
Message Authentication Codes. A message authentication code MAC = (M.tag, M.vfy)
with keys mk ∈ {0, 1}k consists of a tag algorithm M.tag(mk, M) and a verification algorithm
M.vfy(mk, τ). For consistency we require that for all messages M, we have Pr[M.vfymk (M, M.tag(M)) =
⊥] = 1, where the probability is taken over the choice of coins of all the algorithms in the ex-
pression above.
MAC needs to be strongly unforgeable against one-time attacks (SUF-OT) captured by defin-
ing the suf-ot-advantage of an adversary Bmac as
Advsuf-ot
MAC,Bmac
(k) = Pr[M.vfy(mk, M∗
, τ∗
) = ⊥ : mk
$
← {0, 1}k
; (M∗
, τ∗
)
$
← BM.tag(mk,·)
mac (1k
)] .
Above, oracle M.tag(sk, ·) returns τ ← M.tag(mk, M) and A may only make one single query to
oracle M.tag(mk, ·). The target pair (M∗, τ∗) must be different from the pair (M, τ) obtained
from M.tag(mk, ·) (strong unforgeability).
We remark that efficient MACs satisfying the above definition can be constructed without
any computational assumption (and secure against unbounded adversaries) using, e.g., almost
strongly-universal hash families [40].
One-time secure symmetric encryption. Symmetric encryption S = (S.Enc, S.Dec) with
keyspace {0, 1}k and message space {0, 1}m(k) is specified by its deterministic encryption algo-
rithm S.Enc and decryption algorithm S.Dec. The scheme needs to be IND-OT captured by
defining the ind-ot-advantage Advind-ot
S,Bs
(k) of an adversary Bs as
Advind-ot
S,Bs
(k) = Pr[b = b : dk
$
← {0, 1}k
; b
$
← {0, 1} ; b
$
← BLoRb(·,·)
s (1k
)] −
1
2
32

Above, LoRb(M0, M1) returns ψ ← S.Enc(dk, Mb). Bs is allowed only one query to this left-
or-right encryption oracle, consisting of a pair of equal-length messages. One example of an
IND-OT secure symmetric encryption scheme is the one-time pad [37].
D.2 Construction of authenticated encryption
Let S = (S.Enc, S.Dec) be a symmetric encryption that inputs keys from {0, 1}k (such as AES),
let KDF a key-derivation function for group scheme GS that outputs bitstrings of length 2k, and
let MAC be a MAC scheme with keys mk ∈ {0, 1}k. Using the “Encrypt-then-MAC” paradigm
we can construct an algebraic AE = (AE.Enc, AE.Dec) that inputs keys K ∈ G as follows.
AE.Enc(K, M)
(mk||dk) ← KDF(K), where mk, dk ∈ {0, 1}k
ψ ← S.Enc(dk, M)
τ ← M.tag(mk, ψ )
Return ψ = (ψ , τ)
AE.Dec(K, ψ = (ψ , τ))
(mk||dk) ← KDF(K)
If M.vfy(mk, τ) = ⊥ return ⊥
M ← S.Dec(dk, ψ )
Return M
Typically, a MAC tag (from a computationally secure MAC) has k bits, so the above construction
generates ciphertexts of size d(k) = |M| + k. The following lemma [14, 20, 5] guarantees the
AE scheme is one-time secure.
Lemma D.1 Assume S is IND-OT, KDF is pseudorandom, and MAC is SUF-OT. Then AE
is AE-OT. In particlar, we have
Advae-ot
AE,t (k) ≤ Advind-ot
S,t (k) + Advkdf-pr
KDF ,t(k) + Advsuf-ot
MAC,t(k) .
Intuitively, the MAC ensures the ciphertext integrity and the encrypt-then-mac paradigm ensure
that one-time security is preserved.
We remark that for authenticated encryption is a strictly stronger security notion than
chosen-ciphertext security (using a separation example from [5]), whereas the latter is already
suﬃcient for the KEM/DEM composition theorem [14] (i.e., a IND-CCA secure KEM plus
chosen-ciphertext secure symmetric encryption implies IND-CCA secure PKE). On the other
hand, there exists redundancy-free chosen-ciphertext secure symmetric encryption [28] (with
d(k) = |M|) whereas redundancy-free authenticated encryption do not exist.
33

Hk07

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (19)

Similar a Hk07

Similar a Hk07 (20)

Último

Último (20)

Hk07